diff --git a/ChangeLog b/ChangeLog
index c897ca0..a3c6909 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 1.1 - Brielle Bruns <bruns@2mbit.com>
 	- Reorder rules, place allow before block to allow overrides
+	- Fixes for conntrack rules for better security (added -o)
 
 1.0 - Brielle Bruns <bruns@2mbit.com>
 	- Minor tweaks to various config files
diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index 12b9153..623ed97 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -700,9 +700,9 @@ if [ $NAT ]; then
 			SNAT)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
 					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \