fix mangle rules for incoming traffic

systems/LoutreOS/network.nix

@@ -88,9 +88,14 @@
         ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true
         ip46tables -w -t mangle -N loutreos-mangle-pre
 
-        # Restore the packet's CONNMARK to the MARK for existing connections
+        # Restore the packet's CONNMARK to the MARK for existing incoming connections
         ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark
 
+        # Restore CONNMARK to MARK for outgoing packets before final routing decision
+        ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true
+        ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark
+
+
         # If packet MARK is set, then it means that there is already a connection mark
         ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT
 
@@ -100,8 +105,11 @@
         ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2
         ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3
 
+        # Save new mark in CONNMARK
+        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark
+
         # Jump to newly created target 
-        ip46tables -w -t mangle -A PREROUTING -j loutreos-mangle-pre
+        ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre
 
         # Save MARK to CONNMARK.
         ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true