diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
deleted file mode 100644
index 0a6d7fa1c8..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service
+++ /dev/null
@@ -1,6 +0,0 @@
-[Unit]
-Description=Store and restore ip6tables firewall rules
-
-[Install]
-Also=ip6tables-store.service
-Also=ip6tables-restore.service
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service
deleted file mode 100644
index 3643a3e310..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service
+++ /dev/null
@@ -1,6 +0,0 @@
-[Unit]
-Description=Store and restore iptables firewall rules
-
-[Install]
-Also=iptables-store.service
-Also=iptables-restore.service
diff --git a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
index bcf9182795..a6ba56cb35 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/iptables-1.8.7.ebuild
@@ -40,12 +40,11 @@ BDEPEND="${BUILD_DEPEND}
 		virtual/yacc
 	)
 "
-# Flatcar: Drop BUILD_DEPEND, as we would not like to ship
-# eselect in the final image. Also, drop net-firewall/arptables as we don't 
-# ship arptables
 RDEPEND="${COMMON_DEPEND}
+	${BUILD_DEPEND}
 	nftables? ( net-misc/ethertypes )
 	!<net-firewall/ebtables-2.0.11-r1
+	!<net-firewall/arptables-0.0.5-r1
 "
 
 PATCHES=(
@@ -121,16 +120,12 @@ src_install() {
 		rm "${ED}"/etc/ethertypes || die
 
 		# Bugs 660886 and 669894
-		# Flatcar: We don't provide arptables* binaries.
-		# Flatcar: Keeping the ebtables binaries
-		rm "${ED}"/sbin/arptables{{,-{save,restore}},-nft{,-{save,restore}}} || die
+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die
 	fi
 
-	# Flatcar: Gentoo upstream dropped the iptables & ip6tables services
-	# but we continue to ship them
-	systemd_dounit "${FILESDIR}"/systemd/iptables{,-{re,}store}.service
+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
 	if use ipv6 ; then
-		systemd_dounit "${FILESDIR}"/systemd/ip6tables{,-{re,}store}.service
+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
 	fi
 
 	# Move important libs to /lib #332175
@@ -140,20 +135,18 @@ src_install() {
 }
 
 pkg_postinst() {
-	# Flatcar: Use xtables-nft-multi to use the nft backend instead of legacy backend 
-	local default_iptables="xtables-nft-multi"
+	local default_iptables="xtables-legacy-multi"
 	if ! eselect iptables show &>/dev/null; then
 		elog "Current iptables implementation is unset, setting to ${default_iptables}"
 		eselect iptables set "${default_iptables}"
 	fi
-	# Flatcar: Drop the arptables, but retain the `for` structure in favor of lesser diff
-	# to upstream
+
 	if use nftables; then
 		local tables
-		for tables in ebtables; do
+		for tables in {arp,eb}tables; do
 			if ! eselect ${tables} show &>/dev/null; then
 				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
-				eselect ${tables} set "${default_iptables}"
+				eselect ${tables} set xtables-nft-multi
 			fi
 		done
 	fi
@@ -168,6 +161,17 @@ pkg_prerm() {
 	if ! has_version 'net-firewall/ebtables'; then
 		elog "Unsetting ebtables symlinks before removal"
 		eselect ebtables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting ebtables symlinks to ebtables-legacy"
+		eselect ebtables set ebtables-legacy
+	fi
+
+	if ! has_version 'net-firewall/arptables'; then
+		elog "Unsetting arptables symlinks before removal"
+		eselect arptables unset
+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then
+		elog "Resetting arptables symlinks to arptables-legacy"
+		eselect arptables set arptables-legacy
 	fi
 
 	# the eselect module failing should not be fatal