diff --git a/cmd/tailscale/tailscale.go b/cmd/tailscale/tailscale.go
index 34a225997..447747313 100644
--- a/cmd/tailscale/tailscale.go
+++ b/cmd/tailscale/tailscale.go
@@ -212,10 +212,10 @@ func runUp(ctx context.Context, args []string) error {
 			prefs.NetfilterMode = router.NetfilterOn
 		case "nodivert":
 			prefs.NetfilterMode = router.NetfilterNoDivert
-			warning("netfilter in nodivert mode, you must add calls to Tailscale netfilter chains manually")
+			warning("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = router.NetfilterOff
-			warning("netfilter management disabled, you must write a secure packet filter yourself")
+			warning("netfilter=off; configure iptables yourself.")
 		default:
 			log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
 		}
diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 449bf5050..c5824c554 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -106,13 +106,9 @@ func (r *linuxRouter) Up() error {
 	if err := r.delLegacyNetfilter(); err != nil {
 		return err
 	}
-	if err := r.delNetfilterHooks(); err != nil {
+	if err := r.setNetfilterMode(NetfilterOff); err != nil {
 		return err
 	}
-	if err := r.delNetfilterBase(); err != nil {
-		return err
-	}
-
 	if err := r.addBypassRule(); err != nil {
 		return err
 	}
@@ -130,10 +126,7 @@ func (r *linuxRouter) down() error {
 	if err := r.delBypassRule(); err != nil {
 		return err
 	}
-	if err := r.delNetfilterHooks(); err != nil {
-		return err
-	}
-	if err := r.delNetfilterBase(); err != nil {
+	if err := r.setNetfilterMode(NetfilterOff); err != nil {
 		return err
 	}
 
@@ -229,11 +222,18 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 
 	switch mode {
 	case NetfilterOff:
-		if err := r.delNetfilterHooks(); err != nil {
-			return err
-		}
-		if err := r.delNetfilterBase(); err != nil {
-			return err
+		switch r.netfilterMode {
+		case NetfilterNoDivert:
+			if err := r.delNetfilterBase(); err != nil {
+				return err
+			}
+		case NetfilterOn:
+			if err := r.delNetfilterHooks(); err != nil {
+				return err
+			}
+			if err := r.delNetfilterBase(); err != nil {
+				return err
+			}
 		}
 		r.snatSubnetRoutes = false
 	case NetfilterNoDivert: