Clean existing iptables rules before marking traffic for peers

lib/wireguard/traffic_control.dart

@@ -34,10 +34,18 @@ class TrafficControlService {
       final downloadMark = mark + 1000; // Offset to avoid conflicts
       
       print('Running iptables MARK commands for $peerIP...');
-      // Mark upload traffic (FROM peer) with uploadMark
-      await _runIptablesCommand(['-I', 'FORWARD', '-s', peerIP, '-j', 'MARK', '--set-mark', uploadMark.toString()]);
-      // Mark download traffic (TO peer) with downloadMark
-      await _runIptablesCommand(['-I', 'FORWARD', '-d', peerIP, '-j', 'MARK', '--set-mark', downloadMark.toString()]);
+      // Clean existing rules for this peer first
+      try {
+        await _runIptablesCommand(['-D', 'FORWARD', '-s', peerIP, '-j', 'MARK', '--set-mark', uploadMark.toString()]);
+      } catch (e) { /* Rule doesn't exist, ignore */ }
+      try {
+        await _runIptablesCommand(['-D', 'FORWARD', '-d', peerIP, '-j', 'MARK', '--set-mark', downloadMark.toString()]);
+      } catch (e) { /* Rule doesn't exist, ignore */ }
+      
+      // Mark upload traffic (FROM peer) with uploadMark - use POSTROUTING for upload
+      await _runIptablesCommand(['-t', 'mangle', '-I', 'POSTROUTING', '-s', peerIP, '-j', 'MARK', '--set-mark', uploadMark.toString()]);
+      // Mark download traffic (TO peer) with downloadMark - use FORWARD for download
+      await _runIptablesCommand(['-t', 'mangle', '-I', 'FORWARD', '-d', peerIP, '-j', 'MARK', '--set-mark', downloadMark.toString()]);
       
       print('Running tc class add/change commands for upload and download...');