diff --git a/Dockerfile b/Dockerfile
index 3587fd4..80f63c1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,6 @@
-FROM jrei/systemd-debian:10
+FROM jrei/systemd-debian:12
 RUN apt update && apt install -y sudo wget procps curl systemd && rm -rf /var/lib/apt/lists/*
-COPY setup.sh .
+RUN curl -sL https://install.raspap.com | bash -s -- --yes --wireguard 1 --openvpn 1 --adblock 1
+COPY firewall-rules.sh /home/firewall-rules.sh
+RUN chmod +x /home/firewall-rules.sh
+CMD /home/firewall-rules.sh
\ No newline at end of file
diff --git a/README.md b/README.md
index e7b9c7e..9184efb 100644
--- a/README.md
+++ b/README.md
@@ -7,22 +7,18 @@ A community-led docker container for RaspAP
 # Usage
 ```
 docker run --name raspap -it -d --privileged --network=host -v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest
-docker exec -it raspap bash
-$ ./setup.sh
-docker restart raspap
-Web GUI should be accessible on http://localhost by default
 ```
-## Workaround for arm devices
-To use this container on arm devices you have to make cgroups writable:
+Web GUI should be accessible on http://localhost by default
+
+## Workaround for ARM devices
+To use this container on ARM devices you have to make cgroups writable:
 ```
 docker run --name raspap -it -d --privileged --network=host --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest
-docker exec -it raspap bash
-$ ./setup.sh
-docker restart raspap
-Web GUI should be accessible on http://localhost by default
 ```
+Web GUI should be accessible on http://localhost by default
+
 ## Allow WiFi-clients to connect to LAN and internet
-Because of docker isolation and security defaults the following rules must be added in the docker container:
+Because of docker isolation and security defaults the following rules must be added on the docker host:
 ```
 iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
 iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
diff --git a/firewall-rules.sh b/firewall-rules.sh
new file mode 100644
index 0000000..a9f423e
--- /dev/null
+++ b/firewall-rules.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
+iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
+iptables-save
\ No newline at end of file
diff --git a/setup.sh b/setup.sh
deleted file mode 100755
index 8ae2c55..0000000
--- a/setup.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-curl -sL https://install.raspap.com | bash