diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 62d92ba50e18..a1ca5dcdcb19 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -32,9 +32,9 @@ let
     ''
       # Helper command to manipulate both the IPv4 and IPv6 tables.
       ip46tables() {
-        iptables "$@"
+        iptables -w "$@"
         ${optionalString config.networking.enableIPv6 ''
-          ip6tables "$@"
+          ip6tables -w "$@"
         ''}
       }
     '';
@@ -386,7 +386,7 @@ in
 
             # Optionally respond to ICMPv4 pings.
             ${optionalString cfg.allowPing ''
-              iptables -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
+              iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
                 "-m limit ${cfg.pingLimit} "
               }-j nixos-fw-accept
             ''}
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix
index 3d3899a5c41a..7f4094de12f1 100644
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@@ -95,26 +95,26 @@ in
 
         preStart =
           ''
-            iptables -t nat -F PREROUTING
-            iptables -t nat -F POSTROUTING
-            iptables -t nat -X
+            iptables -w -t nat -F PREROUTING
+            iptables -w -t nat -F POSTROUTING
+            iptables -w -t nat -X
 
             # We can't match on incoming interface in POSTROUTING, so
             # mark packets coming from the external interfaces.
             ${concatMapStrings (iface: ''
-              iptables -t nat -A PREROUTING \
+              iptables -w -t nat -A PREROUTING \
                 -i '${iface}' -j MARK --set-mark 1
             '') cfg.internalInterfaces}
 
             # NAT the marked packets.
             ${optionalString (cfg.internalInterfaces != []) ''
-              iptables -t nat -A POSTROUTING -m mark --mark 1 \
+              iptables -w -t nat -A POSTROUTING -m mark --mark 1 \
                 -o ${cfg.externalInterface} ${dest}
             ''}
 
             # NAT packets coming from the internal IPs.
             ${concatMapStrings (range: ''
-              iptables -t nat -A POSTROUTING \
+              iptables -w -t nat -A POSTROUTING \
                 -s '${range}' -o ${cfg.externalInterface} ${dest}
             '') cfg.internalIPs}
 
@@ -123,9 +123,9 @@ in
 
         postStop =
           ''
-            iptables -t nat -F PREROUTING
-            iptables -t nat -F POSTROUTING
-            iptables -t nat -X
+            iptables -w -t nat -F PREROUTING
+            iptables -w -t nat -F POSTROUTING
+            iptables -w -t nat -X
           '';
       };
   };