diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 2e2efd34c..919cacfd5 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -187,3 +187,15 @@ $ip6tables -t filter -C INPUT -j CLOUDRON_RATELIMIT 2>/dev/null || $ip6tables -t
 # Workaround issue where Docker insists on adding itself first in FORWARD table
 ipxtables -D FORWARD -j CLOUDRON_RATELIMIT || true
 ipxtables -I FORWARD 1 -j CLOUDRON_RATELIMIT
+
+echo "==> Adding cloudron output chain"
+ipxtables -t filter -N CLOUDRON_OUTPUT || true
+ipxtables -t filter -F CLOUDRON_OUTPUT # empty any existing rules
+
+# turn - mitigate reflection/amplification attack with UDP . The 5349 port is DTLS/UDP and not affected. https://github.com/coturn/coturn/pull/1588
+# hashlimit-above is applied _after_ allowing a hashlimit-burst
+sudo iptables -t filter -A CLOUDRON_OUTPUT -p udp --sport 3478 -m hashlimit --hashlimit-name turn-401 --hashlimit-above 10/second --hashlimit-burst 30 --hashlimit-mode dstip -j CLOUDRON_RATELIMIT_LOG
+
+# Add the ouput rate limit chain to output chain
+$iptables -t filter -C OUTPUT -j CLOUDRON_OUTPUT 2>/dev/null || $iptables -t filter -I OUTPUT 1 -j CLOUDRON_OUTPUT
+$ip6tables -t filter -C INPUT -j CLOUDRON_OUTPUT 2>/dev/null || $ip6tables -t filter -I OUTPUT 1 -j CLOUDRON_OUTPUT