diff --git a/cni/pkg/plugin/testdata/dns.txt.golden b/cni/pkg/plugin/testdata/dns.txt.golden
index 13d33034a658..1b5b0e8b0824 100644
--- a/cni/pkg/plugin/testdata/dns.txt.golden
+++ b/cni/pkg/plugin/testdata/dns.txt.golden
@@ -23,15 +23,18 @@
 -A ISTIO_OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 15053
 -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 -A ISTIO_OUTPUT -j ISTIO_REDIRECT
--A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
--A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
--A OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
+-A OUTPUT -p udp -j ISTIO_OUTPUT
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+-A ISTIO_OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
 COMMIT
 * raw
--A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
--A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
--A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
--A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
--A OUTPUT -p udp --dport 53 -j CT --zone 2
+-N ISTIO_OUTPUT
+-A OUTPUT -p udp -j ISTIO_OUTPUT
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+-A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+-A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+-A ISTIO_OUTPUT -p udp --dport 53 -j CT --zone 2
 -A PREROUTING -p udp --sport 53 -j CT --zone 1
 COMMIT
diff --git a/tools/istio-clean-iptables/pkg/cmd/cleanup.go b/tools/istio-clean-iptables/pkg/cmd/cleanup.go
index a1165547b8a2..5cfe8dc4db95 100644
--- a/tools/istio-clean-iptables/pkg/cmd/cleanup.go
+++ b/tools/istio-clean-iptables/pkg/cmd/cleanup.go
@@ -89,6 +89,12 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.Iptable
 // TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially
 // or create unique abstractions for them
 func cleanupDNSUDP(cfg *config.Config, ext dep.Dependencies, iptV, ipt6V *dep.IptablesVersion) {
+	// Remove UDP jumps from OUTPUT chain to ISTIOOUTPUT chain
+	ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+	ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+	ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+	ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+
 	// Remove the old DNS UDP rules
 	if cfg.RedirectDNS {
 		ownerGroupsFilter := types.ParseInterceptFilter(cfg.OwnerGroupsInclude, cfg.OwnerGroupsExclude)
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
index 9eba379b4f4f..060fc0b4e34b 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
@@ -32,35 +32,39 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -D PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
 ip6tables -t raw -D PREROUTING -p udp --sport 53 -s ::127.0.0.53/128 -j CT --zone 1
 iptables-save
 ip6tables-save
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
index ecb2629fe03a..1dbc7c402b0f 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
@@ -32,17 +32,21 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
index ed81b4954953..2971c77b4fd9 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
@@ -32,5 +32,9 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables-save
 ip6tables-save
\ No newline at end of file
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
index 714f36158820..f9c41a0e7696 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
@@ -36,5 +36,9 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables-save
 ip6tables-save
\ No newline at end of file
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
index 8ecfc8326438..093db2495884 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
@@ -32,21 +32,25 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
index 2ddedc4832b2..9f67f1eede74 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
@@ -32,19 +32,23 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/run.go b/tools/istio-iptables/pkg/capture/run.go
index 31b772a6345c..45807339dd7a 100644
--- a/tools/istio-iptables/pkg/capture/run.go
+++ b/tools/istio-iptables/pkg/capture/run.go
@@ -349,7 +349,7 @@ func (cfg *IptablesConfigurator) Run() error {
 
 	// TODO: change the default behavior to not intercept any output - user may use http_proxy or another
 	// iptablesOrFail wrapper (like ufw). Current default is similar with 0.1
-	// Jump to the ISTIOOUTPUT chain from OUTPUT chain for all tcp traffic, and UDP dns (if enabled)
+	// Jump to the ISTIOOUTPUT chain from OUTPUT chain for all tcp traffic
 	cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.NAT, "-p", constants.TCP, "-j", constants.ISTIOOUTPUT)
 	// Apply port based exclusions. Must be applied before connections back to self are redirected.
 	if cfg.cfg.OutboundPortsExclude != "" {
@@ -509,6 +509,10 @@ func (cfg *IptablesConfigurator) Run() error {
 	cfg.handleOutboundIncludeRules(ipv6RangesInclude, cfg.ruleBuilder.AppendRuleV6, cfg.ruleBuilder.InsertRuleV6)
 
 	if redirectDNS {
+		// Jump from OUTPUT chain to ISTIOOUTPUT chain for all UDP traffic
+		cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.NAT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+		cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.RAW, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+
 		HandleDNSUDP(
 			AppendOps, cfg.ruleBuilder, cfg.ext, &iptVer, &ipt6Ver,
 			cfg.cfg.ProxyUID, cfg.cfg.ProxyGID,
@@ -616,7 +620,7 @@ func HandleDNSUDP(
 		ext:      ext,
 		ops:      ops,
 		table:    constants.NAT,
-		chain:    constants.OUTPUT,
+		chain:    constants.ISTIOOUTPUT,
 		iptV:     iptV,
 		ipt6V:    ipt6V,
 	}
diff --git a/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden b/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
index 23adbcf85730..88bd58e92cae 100644
--- a/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -21,25 +22,28 @@ iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-ports 15053
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -59,20 +63,22 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owne
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-ports 15053
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
 ip6tables -t raw -A PREROUTING -p udp --sport 53 -s ::127.0.0.53/128 -j CT --zone 1
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ip-range.golden b/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
index a03b0541bc5d..6223692fb166 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -24,19 +25,21 @@ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 1.1.0.0/16 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 9.9.0.0/16 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 iptables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
index 66b3b1657fb9..92cfe370a80e 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -16,18 +17,21 @@ iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 888 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ftp -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -42,13 +46,15 @@ ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 888 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ftp -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
index 63654d4b8304..25a94f5d52d0 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -15,17 +16,20 @@ iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -39,12 +43,14 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owne
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
index e8f19e4f08c1..7a04ac47bd44 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -20,22 +21,25 @@ iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -
 iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -54,17 +58,19 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m ow
 ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden b/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
index 0811246f203e..3e65e9497a9d 100644
--- a/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -19,19 +20,21 @@ iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d 127.0.0.53/32 -j REDIRECT -
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.1.2.3/32 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 iptables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/tproxy.golden b/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
index a881218dd2c4..0427e0acc76d 100644
--- a/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
@@ -5,6 +5,7 @@ iptables -t mangle -N ISTIO_DIVERT
 iptables -t mangle -N ISTIO_TPROXY
 iptables -t mangle -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A PREROUTING -i not-istio-nic -j RETURN
 iptables -t nat -A OUTPUT -o not-istio-nic -j RETURN
 iptables -t mangle -A PREROUTING -i not-istio-nic -j RETURN
@@ -31,14 +32,16 @@ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 1.1.0.0/16 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 9.9.0.0/16 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1337 -j CONNMARK --save-mark
 iptables -t mangle -A OUTPUT -p tcp -o lo -m mark --mark 1337 -j RETURN
@@ -55,6 +58,7 @@ ip6tables -t mangle -N ISTIO_DIVERT
 ip6tables -t mangle -N ISTIO_TPROXY
 ip6tables -t mangle -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A PREROUTING -i not-istio-nic -j RETURN
 ip6tables -t nat -A OUTPUT -o not-istio-nic -j RETURN
 ip6tables -t mangle -A PREROUTING -i not-istio-nic -j RETURN
@@ -77,12 +81,14 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m ow
 ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 ip6tables -t mangle -A PREROUTING -p tcp -m mark --mark 1337 -j CONNMARK --save-mark
 ip6tables -t mangle -A OUTPUT -p tcp -o lo -m mark --mark 1337 -j RETURN
 ip6tables -t mangle -A OUTPUT ! -d ::1/128 -p tcp -o lo -m owner --uid-owner 1337 -j MARK --set-mark 1338