diff --git a/tests/kola/firewall/data/commonlib.sh b/tests/kola/firewall/data/commonlib.sh
deleted file mode 120000
index 1742d51e67..0000000000
--- a/tests/kola/firewall/data/commonlib.sh
+++ /dev/null
@@ -1 +0,0 @@
-../../data/commonlib.sh
\ No newline at end of file
diff --git a/tests/kola/firewall/iptables-legacy b/tests/kola/firewall/iptables-legacy
deleted file mode 100755
index 594f691a5d..0000000000
--- a/tests/kola/firewall/iptables-legacy
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# kola: { "distros": "fcos", "exclusive": false }
-# This test is currently scoped to only FCOS because the RHCOS version of `iptables`
-# is using the `nf_tables` backend.
-# TODO: modify this test to check for `nf_tables` backend when FCOS switches.
-#       See https://github.com/coreos/fedora-coreos-config/pull/1324
-
-set -xeuo pipefail
-
-. $KOLA_EXT_DATA/commonlib.sh
-
-# Make sure we're still on legacy iptables for now
-# https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451
-if ! iptables --version | grep legacy; then
-    iptables --version # output for logs
-    fatal "iptables version is not legacy"
-fi
-ok "iptables still in legacy mode"
diff --git a/tests/kola/firewall/iptables-legacy/config.bu b/tests/kola/firewall/iptables-legacy/config.bu
new file mode 100644
index 0000000000..c7092c4022
--- /dev/null
+++ b/tests/kola/firewall/iptables-legacy/config.bu
@@ -0,0 +1,28 @@
+variant: fcos
+version: 1.4.0
+storage:
+  links:
+    - path: /etc/alternatives/iptables
+      target: /usr/sbin/iptables-legacy
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-restore
+      target: /usr/sbin/iptables-legacy-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-save
+      target: /usr/sbin/iptables-legacy-save
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables
+      target: /usr/sbin/ip6tables-legacy
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-restore
+      target: /usr/sbin/ip6tables-legacy-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-save
+      target: /usr/sbin/ip6tables-legacy-save
+      overwrite: true
+      hard: false
diff --git a/tests/kola/firewall/iptables-legacy/data/commonlib.sh b/tests/kola/firewall/iptables-legacy/data/commonlib.sh
new file mode 120000
index 0000000000..b8dcbdca1a
--- /dev/null
+++ b/tests/kola/firewall/iptables-legacy/data/commonlib.sh
@@ -0,0 +1 @@
+../../../data/commonlib.sh
\ No newline at end of file
diff --git a/tests/kola/firewall/iptables-legacy/test.sh b/tests/kola/firewall/iptables-legacy/test.sh
new file mode 100755
index 0000000000..8ef28366cd
--- /dev/null
+++ b/tests/kola/firewall/iptables-legacy/test.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# kola: { "distros": "fcos", "exclusive": true }
+# This test verifies that one can configure a node to use the legacy iptables
+# backend. It is scoped to only FCOS because RHCOS only supports nft.
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+# Make sure we're on legacy iptables
+if ! iptables --version | grep legacy; then
+    iptables --version # output for logs
+    fatal "iptables version is not legacy"
+fi
+ok "iptables in legacy mode"
diff --git a/tests/kola/firewall/iptables/data/commonlib.sh b/tests/kola/firewall/iptables/data/commonlib.sh
new file mode 120000
index 0000000000..b8dcbdca1a
--- /dev/null
+++ b/tests/kola/firewall/iptables/data/commonlib.sh
@@ -0,0 +1 @@
+../../../data/commonlib.sh
\ No newline at end of file
diff --git a/tests/kola/firewall/iptables/test.sh b/tests/kola/firewall/iptables/test.sh
new file mode 100755
index 0000000000..3477f2f125
--- /dev/null
+++ b/tests/kola/firewall/iptables/test.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# kola: { "exclusive": false }
+# Verifies that the expected iptables backend is configured.
+# https://github.com/coreos/fedora-coreos-tracker/issues/676
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+# we're currently rolling out to next first
+case "$(get_fcos_stream)" in
+    "next-devel" | "next")
+        if ! iptables --version | grep nf_tables; then
+            iptables --version # output for logs
+            fatal "iptables version is not nft"
+        fi
+        ok "iptables in nft mode"
+        ;;
+    *)
+        # Make sure we're on legacy iptables
+        if ! iptables --version | grep legacy; then
+            iptables --version # output for logs
+            fatal "iptables version is not legacy"
+        fi
+        ok "iptables in legacy mode"
+        ;;
+esac