diff --git a/docker/neutron/neutron-base/extend_start.sh b/docker/neutron/neutron-base/extend_start.sh
index 12307fca19..82e087326c 100644
--- a/docker/neutron/neutron-base/extend_start.sh
+++ b/docker/neutron/neutron-base/extend_start.sh
@@ -7,4 +7,15 @@ if [[ $(stat -c %a /var/log/kolla/neutron) != "755" ]]; then
     chmod 755 /var/log/kolla/neutron
 fi
 
+# set legacy iptables to allow kernels not supporting iptables-nft
+if /usr/bin/update-alternatives --query iptables; then
+    if [[ $KOLLA_LEGACY_IPTABLES == "true" ]]; then
+        sudo /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
+        sudo /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+    else
+        sudo /usr/bin/update-alternatives --auto iptables
+        sudo /usr/bin/update-alternatives --auto ip6tables
+    fi
+fi
+
 . /usr/local/bin/kolla_neutron_extend_start
diff --git a/docker/neutron/neutron-base/neutron_sudoers b/docker/neutron/neutron-base/neutron_sudoers
index c6459abe11..7a7252e50f 100644
--- a/docker/neutron/neutron-base/neutron_sudoers
+++ b/docker/neutron/neutron-base/neutron_sudoers
@@ -1,2 +1,6 @@
 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
+neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
+neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables
+neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto ip6tables