diff --git a/roles/common/molecule/default/tests/test_default.py b/roles/common/molecule/default/tests/test_default.py
index c6fb18454d112e87e5e471f1599783557e3598b5..b9148c4bdebeb5bafd77caa4bd85611f1220eb9d 100644
--- a/roles/common/molecule/default/tests/test_default.py
+++ b/roles/common/molecule/default/tests/test_default.py
@@ -438,3 +438,34 @@ def test_pipreqcheck_script_output(host, environment, config_directory):
     assert len(report.stdout.split("\n")) == expected_line_count
     assert expected_warning_message in report.stdout
     assert expected_package_diff in report.stdout
+
+
+@pytest.mark.parametrize('binary_default_path', [
+    '/usr/sbin/iptables-legacy',
+    '/usr/sbin/iptables-legacy-save',
+    '/usr/sbin/iptables-legacy-restore',
+    '/usr/sbin/ip6tables-legacy',
+    '/usr/sbin/ip6tables-legacy-save',
+    '/usr/sbin/ip6tables-legacy-restore',
+])
+def test_legacy_iptables_diversions(host, binary_default_path):
+    """
+    Tests if diversions have been put in place for the legacy iptables
+    tools (prevents newer ferm versions from locating and using them).
+    """
+
+    binary_default = host.file(binary_default_path)
+    binary_diversion = host.file(binary_default_path + '.original')
+    dpkg_divert = host.run('dpkg-divert --list %s', binary_default_path)
+
+    assert dpkg_divert.rc == 0
+    assert binary_default_path in dpkg_divert.stdout
+
+    assert not binary_default.exists
+
+    # These binaries are all symlinks to a singular tool that behaves
+    # differently based on calling name.
+    assert binary_diversion.is_symlink
+    assert binary_diversion.user == 'root'
+    assert binary_diversion.group == 'root'
+    assert binary_diversion.mode == 0o777
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 2e54e87a4654998d4c63d135e4e4bac404243d60..9be409c42ff7ef979470fac0cc4202f2a0917409 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -180,21 +180,23 @@
   command: "/usr/sbin/update-ca-certificates --fresh"
   when: deploy_ca_certificates_result.changed
 
+- name: Set-up diversions for legacy iptables tools (prevents ferm from locating and using them)
+  command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"
+  register: "iptables_legacy_divert"
+  changed_when: "'Adding' in iptables_legacy_divert.stdout"
+  with_items:
+    - "/usr/sbin/iptables-legacy"
+    - "/usr/sbin/iptables-legacy-restore"
+    - "/usr/sbin/iptables-legacy-save"
+    - "/usr/sbin/ip6tables-legacy"
+    - "/usr/sbin/ip6tables-legacy-restore"
+    - "/usr/sbin/ip6tables-legacy-save"
 
 - name: Install ferm (for firewall management)
   apt:
     name: ferm
     state: present
 
-- name: Prevent ferm from using legacy iptables tools
-  lineinfile:
-    path: "/usr/sbin/ferm"
-    regexp: "legacy_name.*="
-    line: "        my $legacy_name = $1 . '-do-not-use-legacy-' . $2;"
-    state: present
-  notify:
-    - Restart ferm
-
 - name: Configure ferm init script coniguration file
   copy:
     src: "ferm"