diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml
index a6049725ec..bc87929da0 100644
--- a/manifests/fedora-coreos-base.yaml
+++ b/manifests/fedora-coreos-base.yaml
@@ -84,6 +84,17 @@ postprocess:
     if [ -z "${DEFAULT_HOSTNAME:-}" ]; then
       echo 'DEFAULT_HOSTNAME=localhost' >> /usr/lib/os-release
     fi
+  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+  # remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save
 
 # Packages listed here should be specific to Fedore CoreOS (as in not yet
 # available in RHCOS or not desired in RHCOS). All other packages should go