diff --git a/Dockerfile b/Dockerfile
index 38d5baef..3057138a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -218,7 +218,7 @@ RUN apk add --no-cache --update -l wget && \
     apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.17/main" openvpn\~2.5 && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.5 && \
     apk del openvpn && \
-    apk add --no-cache --update openvpn ca-certificates iptables ip6tables unbound tzdata && \
+    apk add --no-cache --update openvpn ca-certificates iptables iptables-legacy unbound tzdata && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.6 && \
     # Fix vulnerability issue
     apk add --no-cache --update busybox && \
diff --git a/internal/firewall/firewall.go b/internal/firewall/firewall.go
index bbf9b19f..c9235c3f 100644
--- a/internal/firewall/firewall.go
+++ b/internal/firewall/firewall.go
@@ -38,7 +38,7 @@ type Config struct { //nolint:maligned
 func NewConfig(ctx context.Context, logger Logger,
 	runner command.Runner, defaultRoutes []routing.DefaultRoute,
 	localNetworks []routing.LocalNetwork) (config *Config, err error) {
-	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft")
+	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft", "iptables-legacy")
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/firewall/ip6tables.go b/internal/firewall/ip6tables.go
index 2384febc..613225b4 100644
--- a/internal/firewall/ip6tables.go
+++ b/internal/firewall/ip6tables.go
@@ -15,7 +15,7 @@ import (
 // empty string path is returned.
 func findIP6tablesSupported(ctx context.Context, runner command.Runner) (
 	ip6tablesPath string, err error) {
-	ip6tablesPath, err = checkIptablesSupport(ctx, runner, "ip6tables", "ip6tables-nft")
+	ip6tablesPath, err = checkIptablesSupport(ctx, runner, "ip6tables", "ip6tables-nft", "ip6tables-legacy")
 	if errors.Is(err, ErrIPTablesNotSupported) {
 		return "", nil
 	} else if err != nil {