diff --git a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
index 8998252..a799eaf 100644
--- a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
+++ b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
@@ -26,6 +26,26 @@ IMAGE_INSTALL = "\
     kernel-module-br-netfilter \
     kernel-module-xt-mark \
     kernel-module-xt-connmark \
+    kernel-module-xt-comment \
+    kernel-module-xt-multiport \
+    kernel-module-xt-statistic \
+    kernel-module-xt-redirect \
+    kernel-module-xt-tcpmss \
+    kernel-module-xt-ct \
+    kernel-module-xt-log \
+    kernel-module-xt-limit \
+    kernel-module-nf-tables \
+    kernel-module-nft-compat \
+    kernel-module-nft-nat \
+    kernel-module-nft-chain-nat \
+    kernel-module-nft-masq \
+    kernel-module-nft-redir \
+    kernel-module-nft-ct \
+    kernel-module-nft-log \
+    kernel-module-nft-limit \
+    kernel-module-nft-reject \
+    kernel-module-nft-reject-inet \
+    kernel-module-nft-hash \
     fuse3 \
     fuse3-utils \
     pigz \
diff --git a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
index 64a2bef..015be74 100644
--- a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
+++ b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
@@ -1,6 +1,21 @@
 CONFIG_BRIDGE=m
 CONFIG_BRIDGE_NETFILTER=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
+
+# nf_tables support (needed by modern iptables-nft backend)
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_HASH=m
 CONFIG_BPF_SYSCALL=y
 CONFIG_IP_VS=m
 CONFIG_SECCOMP=y