diff --git a/Dockerfile b/Dockerfile
index 6261067..33df128 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,9 @@
 FROM alpine:3.13
 
-RUN apk add --update --no-cache \
-  iptables \
-  libcap
+RUN apk --no-cache upgrade \
+ && apk --no-cache add  \
+    iptables \
+    libcap
 
 COPY ./entrypoint.sh /
 
diff --git a/README.md b/README.md
index 1207f17..d724fcd 100644
--- a/README.md
+++ b/README.md
@@ -8,8 +8,8 @@
 
 Docker Image Tags:
 * `latest`
-* `2`
-* `2.x.x`
+* `3`
+* `3.x.x`
 
 Docker image to forward **TCP** and **UDP** traffic to the docker host. 
 
@@ -19,7 +19,7 @@ This container will determine docker host address in the following order
 * Try to resolve `host.docker.internal` (`getent ahostsv4 host.docker.internal`)
 * Defaults to default gateway (`ip -4 route show default`)
 
-By default all ports (`0:65535`) are forwarded to docker host you can override ports by setting environment variable `PORTS` to a comma separated list of ports and/or port ranges e.g `443,80,8000:9000`
+By default all ports (`1-65535`) are forwarded to docker host. You may restrict ports by setting environment variable `PORTS` to a space and/or comma separated list of ports and/or port ranges e.g `443, 8000-9000`. You may also configure port mapping e.g. `443:8443, 8000-9000:5000-6000`
 
 #### ⚠️ On **Linux systems** 
 
diff --git a/entrypoint.sh b/entrypoint.sh
index cdeb9ac..546e0c2 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -66,23 +66,26 @@ then
   # --- Configure iptables -----------------------------------------------------
 
   # setup port forwarding
-  FORWARDING_PORTS="$(echo ${PORTS:-'0:65535'} | sed 's/[ ,;][ ,;]*/ /g')"
-  echo "Forwarding ports: ${FORWARDING_PORTS// /,}"
+  FORWARDING_PORTS="$(echo "${PORTS:-'1-65535'}" | sed 's/[ ,][ ,]*/ /g')"
+  echo "Forwarding ports: $FORWARDING_PORTS"
   iptables -t nat -I POSTROUTING -j MASQUERADE
-  for forwarding_port in ${FORWARDING_PORTS}
+  for forwarding_port in $FORWARDING_PORTS
   do
+    forwarding_ingress_port="$(echo "$forwarding_port" | cut -d':' -f1)"
+    forwarding_egress_port="$(echo "$forwarding_port" | cut -d':' -f2)"
+    forwarding_egress_port="${forwarding_egress_port:-$forwarding_ingress_port}"
+    forwarding_egress_port="${forwarding_egress_port/:/-}"
+
     iptables --table nat --insert PREROUTING \
-      --protocol tcp \
-      --dport "$forwarding_port" \
-      --jump DNAT --to-destination "$docker_host_ip"
+      --protocol tcp --destination-port "${forwarding_ingress_port/-/:}" \
+      --jump DNAT --to-destination "$docker_host_ip:$forwarding_egress_port"
     iptables --table nat --insert PREROUTING \
-      --protocol udp \
-      --dport "$forwarding_port" \
-      --jump DNAT --to-destination "$docker_host_ip"
+      --protocol udp --destination-port "${forwarding_ingress_port/-/:}" \
+      --jump DNAT --to-destination "$docker_host_ip:$forwarding_egress_port"
   done
   
   # --- Drop root access -------------------------------------------------------
-  exec su -s /bin/sh nobody "$0"
+  exec su -s /bin/sh nobody "$0" -- "$@"
 fi