diff --git a/Dockerfile b/Dockerfile
index c546cf657..68e7caa3e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -73,8 +73,8 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
 
 FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
-RUN ln -s /sbin/iptables-legacy /sbin/iptables
-RUN ln -s /sbin/ip6tables-legacy /sbin/ip6tables
+RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
+RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
diff --git a/Dockerfile.base b/Dockerfile.base
index 6c3c8ed08..bd68e1572 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -8,5 +8,5 @@ RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tabl
 # suppport nftables, so link back to legacy for backwards compatibility reasons.
 # TODO(irbekrm): add some way how to determine if we still run on nodes that
 # don't support nftables, so that we can eventually remove these symlinks.
-RUN ln -s /sbin/iptables-legacy /sbin/iptables
-RUN ln -s /sbin/ip6tables-legacy /sbin/ip6tables
+RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
+RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables