diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 0f438ca53..084775786 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -247,9 +247,6 @@ func (r *linuxRouter) Up() error {
 	if r.unregLinkMon == nil && r.linkMon != nil {
 		r.unregLinkMon = r.linkMon.RegisterRuleDeleteCallback(r.onIPRuleDeleted)
 	}
-	if err := r.delLegacyNetfilter(); err != nil {
-		return err
-	}
 	if err := r.addIPRules(); err != nil {
 		return fmt.Errorf("adding IP rules: %w", err)
 	}
@@ -1380,38 +1377,6 @@ func (r *linuxRouter) delSNATRule() error {
 	return nil
 }
 
-func (r *linuxRouter) delLegacyNetfilter() error {
-	if distro.Get() == distro.Synology {
-		// We don't support netfilter on Synology, and unlike other platforms
-		// the following commands error out as the `comment` module doesn't
-		// exist in the iptables binary present on Synology. Albeit the errors
-		// are ignored it's nice to not have logspam.
-		return nil
-	}
-
-	del := func(table, chain string, args ...string) error {
-		exists, err := r.ipt4.Exists(table, chain, args...)
-		if err != nil {
-			return fmt.Errorf("checking for %v in %s/%s: %w", args, table, chain, err)
-		}
-		if exists {
-			if err := r.ipt4.Delete(table, chain, args...); err != nil {
-				return fmt.Errorf("deleting %v in %s/%s: %w", args, table, chain, err)
-			}
-		}
-		return nil
-	}
-
-	if err := del("filter", "FORWARD", "-m", "comment", "--comment", "tailscale", "-i", r.tunname, "-j", "ACCEPT"); err != nil {
-		r.logf("failed to delete legacy rule, continuing anyway: %v", err)
-	}
-	if err := del("nat", "POSTROUTING", "-m", "comment", "--comment", "tailscale", "-o", "eth0", "-j", "MASQUERADE"); err != nil {
-		r.logf("failed to delete legacy rule, continuing anyway: %v", err)
-	}
-
-	return nil
-}
-
 // cidrDiff calls add and del as needed to make the set of prefixes in
 // old and new match. Returns a map reflecting the actual new state
 // (which may be somewhere in between old and new if some commands