diff --git a/dist/images/vpcnatgateway/Dockerfile b/dist/images/vpcnatgateway/Dockerfile
index 8fd5f6ca94e..58828094d9d 100644
--- a/dist/images/vpcnatgateway/Dockerfile
+++ b/dist/images/vpcnatgateway/Dockerfile
@@ -6,7 +6,7 @@ RUN set -ex \
     && apk add --no-cache \
     bash \
     iproute2 \
-    iptables \
+    iptables iptables-legacy \
     iputils \
     tcpdump \
     conntrack-tools
diff --git a/dist/images/vpcnatgateway/nat-gateway.sh b/dist/images/vpcnatgateway/nat-gateway.sh
index 6d75c040824..eaae9e1a7b7 100644
--- a/dist/images/vpcnatgateway/nat-gateway.sh
+++ b/dist/images/vpcnatgateway/nat-gateway.sh
@@ -1,5 +1,11 @@
 #!/usr/bin/env bash
 
+# use iptables-legacy for centos 7
+if iptables-legacy -t nat -S INPUT 1 2>/dev/null; then
+    alias iptables=iptables-legacy
+    alias iptables-save=iptables-legacy-save
+fi
+
 function exec_cmd() {
     cmd=${@:1:${#}}
     $cmd