diff --git a/ALPINE.txt b/ALPINE.txt
index 55b698c77..318956c3d 100644
--- a/ALPINE.txt
+++ b/ALPINE.txt
@@ -1 +1 @@
-3.18
\ No newline at end of file
+3.19
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 32cb92ab0..015022e49 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -62,8 +62,10 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
       -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
       -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
 
-FROM alpine:3.18
+FROM alpine:3.19
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
+RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
diff --git a/Dockerfile.base b/Dockerfile.base
index eb4f0a02a..b7e79a43c 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,5 +1,12 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+FROM alpine:3.19
+RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
+# Alpine 3.19 replaces legacy iptables with nftables based implementation.  We
+# can't be certain that all hosts that run Tailscale containers currently
+# suppport nftables, so link back to legacy for backwards compatibility reasons.
+# TODO(irbekrm): add some way how to determine if we still run on nodes that
+# don't support nftables, so that we can eventually remove these symlinks.
+RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
+RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables