diff --git a/.github/workflows/docker-base.yml b/.github/workflows/docker-base.yml
new file mode 100644
index 000000000..3c5931f2d
--- /dev/null
+++ b/.github/workflows/docker-base.yml
@@ -0,0 +1,29 @@
+name: "Validate Docker base image"
+on: 
+  workflow_dispatch:
+  pull_request:
+    paths:
+    - "Dockerfile.base"
+    - ".github/workflows/docker-base.yml"
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: "build and test"
+      run: |
+        set -e
+        IMG="test-base:$(head -c 8 /dev/urandom | xxd -p)"
+        docker build -t "$IMG" -f Dockerfile.base .
+
+        iptables_version=$(docker run --rm "$IMG" iptables --version)
+        if [[ "$iptables_version" != *"(legacy)"* ]]; then
+            echo "ERROR: Docker base image should contain legacy iptables; found ${iptables_version}"
+            exit 1
+        fi
+
+        ip6tables_version=$(docker run --rm "$IMG" ip6tables --version)
+        if [[ "$ip6tables_version" != *"(legacy)"* ]]; then
+            echo "ERROR: Docker base image should contain legacy ip6tables; found ${ip6tables_version}"
+            exit 1
+        fi
diff --git a/Dockerfile b/Dockerfile
index 68e7caa3e..7122f9978 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -73,6 +73,11 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
 
 FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+# Alpine 3.19 replaced legacy iptables with nftables based implementation.
+# Tailscale is used on some hosts that don't support nftables, such as Synology
+# NAS, so link iptables back to legacy version. Hosts that don't require legacy
+# iptables should be able to use Tailscale in nftables mode.  See
+# https://github.com/tailscale/tailscale/issues/17854
 RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
 RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables
 
diff --git a/Dockerfile.base b/Dockerfile.base
index bd68e1572..9b7ae512b 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -3,10 +3,10 @@
 
 FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
-# Alpine 3.19 replaced legacy iptables with nftables based implementation.  We
-# can't be certain that all hosts that run Tailscale containers currently
-# suppport nftables, so link back to legacy for backwards compatibility reasons.
-# TODO(irbekrm): add some way how to determine if we still run on nodes that
-# don't support nftables, so that we can eventually remove these symlinks.
+# Alpine 3.19 replaced legacy iptables with nftables based implementation.
+# Tailscale is used on some hosts that don't support nftables, such as Synology
+# NAS, so link iptables back to legacy version. Hosts that don't require legacy
+# iptables should be able to use Tailscale in nftables mode.  See
+# https://github.com/tailscale/tailscale/issues/17854
 RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
 RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables