diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install
index 7f371ef..8c63f10 100644
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@@ -13,6 +13,7 @@ lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
+usr/lib/qubes/init/network-proxy-stop.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
index 0ec54e0..3e663d3 100644
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@@ -799,6 +799,7 @@ rm -f %{name}-%{version}
 /lib/systemd/system/qubes-network.service
 /lib/systemd/system/qubes-updates-proxy.service
 /usr/lib/qubes/init/network-proxy-setup.sh
+/usr/lib/qubes/init/network-proxy-stop.sh
 /usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/vm-systemd/network-proxy-stop.sh b/vm-systemd/network-proxy-stop.sh
new file mode 100755
index 0000000..4ef924e
--- /dev/null
+++ b/vm-systemd/network-proxy-stop.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo 0 > /proc/sys/net/ipv4/ip_forward
+# disable also IPv6 forwarding, if IPv6 applicable
+if [ -w /proc/sys/net/ipv6/conf/all/forwarding ]; then
+    echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+fi
diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service
index c5aa410..5281bf1 100644
--- a/vm-systemd/qubes-network.service
+++ b/vm-systemd/qubes-network.service
@@ -8,6 +8,7 @@ After=network-pre.target qubes-iptables.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh
+ExecStop=/usr/lib/qubes/init/network-proxy-stop.sh
 
 [Install]
 WantedBy=multi-user.target