diff --git a/manifest.yaml b/manifest.yaml
index 5b9b44b3fa..b021aeffcc 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -42,3 +42,15 @@ postprocess:
     #!/usr/bin/env bash
     mkdir -p /usr/lib/rpm-ostree/
     mv /usr/bin/microdnf /usr/lib/rpm-ostree/
+  # Default to iptables-nft. Otherwise, legacy wins. This needs to be lowered in
+  # a shared manifest once we're ready to migrate `testing`. We can drop this
+  # once/if we remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save