diff --git a/.dockerignore b/.dockerignore
index aad1bca..c25a3c0 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,3 @@
+/protomask-tun/target
 /target
-!/target/x86_64-unknown-linux-musl/release/protomask
-/.github
+!/target/x86_64-unknown-linux-musl/release/protomask
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 368141a..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,7 +0,0 @@
-FROM alpine:latest
-
-# Copy the binary from the builder container
-COPY ./target/x86_64-unknown-linux-musl/release/protomask /usr/local/bin/protomask
-
-# NOTE: We expect the config file to be mounted at /etc/protomask.toml
-ENTRYPOINT ["/usr/local/bin/protomask", "/etc/protomask.toml"]
\ No newline at end of file
diff --git a/Makefile b/Makefile
index a032b13..36e9dba 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,16 @@
-SRC=$(wildcard src/*.rs) $(wildcard src/**/*.rs) $(wildcard src/**/**/*.rs) Cargo.toml
+# All sources used to build the protomask binary
+SRC = Cargo.toml $(shell find src/ -type f -name '*.rs') $(shell find protomask-tun/src/ -type f -name '*.rs')
 
-target/debug/protomask: $(SRC)
-	cross build --target x86_64-unknown-linux-musl
-	sudo setcap cap_net_admin=eip $@
+# Used to auto-version things
+GIT_HASH ?= $(shell git log --format="%h" -n 1)
 
-target/release/protomask: $(SRC)
+# Release binary for x64
+target/x86_64-unknown-linux-musl/release/protomask: $(SRC)
 	cross build --target x86_64-unknown-linux-musl --release
-	sudo setcap cap_net_admin=eip $@
\ No newline at end of file
+#	sudo setcap cap_net_admin=eip $@
+
+# Release binary for aarch64
+target/aarch64-unknown-linux-musl/release/protomask: $(SRC)
+	cross build --target aarch64-unknown-linux-musl --release
+#	sudo setcap cap_net_admin=eip $@
+
diff --git a/scripts/build_release_packages.sh b/scripts/build_release_packages.sh
deleted file mode 100644
index fd87958..0000000
--- a/scripts/build_release_packages.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#! /bin/bash
-# Builds everything needed for a new release
-set -ex
-
-# Build RPM
-cargo rpm build
-
-# Build Docker image
-cross build --release --target x86_64-unknown-linux-musl
-docker build -t ewpratten/protomask:latest .
diff --git a/src/nat/error.rs b/src/nat/error.rs
new file mode 100644
index 0000000..b924baa
--- /dev/null
+++ b/src/nat/error.rs
@@ -0,0 +1,15 @@
+#[derive(Debug, thiserror::Error)]
+pub enum Nat64Error {
+    #[error(transparent)]
+    TableError(#[from] super::table::TableError),
+    #[error(transparent)]
+    TunError(#[from] protomask_tun::Error),
+    #[error(transparent)]
+    IoError(#[from] std::io::Error),
+    #[error(transparent)]
+    PacketHandlingError(#[from] crate::packet::error::PacketError),
+    #[error(transparent)]
+    PacketReceiveError(#[from] tokio::sync::broadcast::error::RecvError),
+    #[error(transparent)]
+    PacketSendError(#[from] tokio::sync::mpsc::error::SendError<Vec<u8>>),
+}
diff --git a/src/nat/mod.rs b/src/nat/mod.rs
index aa1ff8f..42d4d68 100644
--- a/src/nat/mod.rs
+++ b/src/nat/mod.rs
@@ -4,6 +4,7 @@ use crate::packet::{
 };
 
 use self::{
+    error::Nat64Error,
     table::Nat64Table,
     utils::{embed_address, extract_address},
 };
@@ -13,29 +14,12 @@ use std::{
     net::{IpAddr, Ipv4Addr, Ipv6Addr},
     time::Duration,
 };
-use tokio::sync::{broadcast, mpsc};
+use tokio::sync::broadcast;
 
+mod error;
 mod table;
 mod utils;
 
-#[derive(Debug, thiserror::Error)]
-pub enum Nat64Error {
-    #[error(transparent)]
-    TableError(#[from] table::TableError),
-    #[error(transparent)]
-    TunError(#[from] protomask_tun::Error),
-    #[error(transparent)]
-    IoError(#[from] std::io::Error),
-    // #[error(transparent)]
-    // XlatError(#[from] xlat::PacketTranslationError),
-    #[error(transparent)]
-    PacketHandlingError(#[from] crate::packet::error::PacketError),
-    #[error(transparent)]
-    PacketReceiveError(#[from] broadcast::error::RecvError),
-    #[error(transparent)]
-    PacketSendError(#[from] mpsc::error::SendError<Vec<u8>>),
-}
-
 pub struct Nat64 {
     table: Nat64Table,
     interface: TunDevice,
@@ -116,11 +100,32 @@ impl Nat64 {
                             // Parse the packet
                             let packet: Ipv6Packet<Vec<u8>> = packet.try_into()?;
 
+                            // Drop packets "coming from" the NAT64 prefix
+                            if self.ipv6_nat_prefix.contains(&packet.source_address) {
+                                log::warn!(
+                                    "Dropping packet \"from\" NAT64 prefix: {} -> {}",
+                                    packet.source_address,
+                                    packet.destination_address
+                                );
+                                continue;
+                            }
+
                             // Get the new source and dest addresses
                             let new_source =
                                 self.table.get_or_assign_ipv4(packet.source_address)?;
                             let new_destination = extract_address(packet.destination_address);
 
+                            // Drop packets destined for private IPv4 addresses
+                            if new_destination.is_private() {
+                                log::warn!(
+                                    "Dropping packet destined for private IPv4 address: {} -> {} ({})",
+                                    packet.source_address,
+                                    packet.destination_address,
+                                    new_destination
+                                );
+                                continue;
+                            }
+
                             // Spawn a task to process the packet
                             tokio::spawn(async move {
                                 let output =