diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 73cf18118..2204aa2d1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -156,16 +156,14 @@ jobs:
 
           for image in "${IMAGES[@]}"; do
             SOURCE_TAG=${{ steps.login.outputs.registry }}/firezone/${image}:${{ inputs.tag || github.sha }}
-            docker pull --all-tags ${SOURCE_TAG}
 
-            echo "Retagging ${image} from ${SOURCE_TAG}"
-
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${{ inputs.tag || github.sha }}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${{ env.VERSION }}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${{ env.VERSION }}-${{ inputs.tag || github.sha }}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:latest
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${MAJOR_VERSION}
-            docker tag ${SOURCE_TAG} ghcr.io/firezone/${image}:${MAJOR_MINOR_VERSION}
-
-            docker push --all-tags ghcr.io/firezone/${image}
+            docker buildx imagetools create \
+              -t ghcr.io/firezone/${image}:${{ inputs.tag || github.sha }} \
+              -t ghcr.io/firezone/${image}:${{ env.VERSION }} \
+              -t ghcr.io/firezone/${image}:${{ env.VERSION }} \
+              -t ghcr.io/firezone/${image}:${{ env.VERSION }}-${{ inputs.tag || github.sha }} \
+              -t ghcr.io/firezone/${image}:latest \
+              -t ghcr.io/firezone/${image}:${MAJOR_VERSION} \
+              -t ghcr.io/firezone/${image}:${MAJOR_MINOR_VERSION} \
+              $SOURCE_TAG
           done
diff --git a/rust/Dockerfile b/rust/Dockerfile
index 462480155..563bc3ce3 100644
--- a/rust/Dockerfile
+++ b/rust/Dockerfile
@@ -87,7 +87,7 @@ COPY . .
 
 ARG TARGET
 ARG PACKAGE
-RUN cargo build -p ${PACKAGE} $([ -v "${TARGET}" ] && "--target ${TARGET}")
+RUN cargo build -p ${PACKAGE} $([ -n "${TARGET}" ] && "--target ${TARGET}")
 
 # Image which is used to run the application binary
 FROM alpine:${ALPINE_VERSION} AS runtime
diff --git a/rust/docker-init.sh b/rust/docker-init.sh
index 84cd97813..b70d8bd5f 100755
--- a/rust/docker-init.sh
+++ b/rust/docker-init.sh
@@ -3,12 +3,14 @@
 if [ "${FIREZONE_ENABLE_MASQUERADE}" = "1" ]; then
   IFACE="tun-firezone"
   # Enable masquerading for ethernet and wireless interfaces
-  iptables-nft -A FORWARD -i $IFACE -j ACCEPT
-  iptables-nft -A FORWARD -o $IFACE -j ACCEPT
-  iptables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
-  ip6tables-nft -A FORWARD -i $IFACE -j ACCEPT
-  ip6tables-nft -A FORWARD -o $IFACE -j ACCEPT
-  ip6tables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+  iptables -C FORWARD -i $IFACE -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -i $IFACE -j ACCEPT
+  iptables -C FORWARD -o $IFACE -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -o $IFACE -j ACCEPT
+  iptables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
+  iptables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o w+ -j MASQUERADE
+  ip6tables -C FORWARD -i $IFACE -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -i $IFACE -j ACCEPT
+  ip6tables -C FORWARD -o $IFACE -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -o $IFACE -j ACCEPT
+  ip6tables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o e+ -j MASQUERADE
+  ip6tables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o w+ -j MASQUERADE
 fi
 
 if [ "${LISTEN_ADDRESS_DISCOVERY_METHOD}" = "gce_metadata" ]; then