diff --git a/pkg/encapsulation/ipip.go b/pkg/encapsulation/ipip.go
index 6075afe..5c7ab8b 100644
--- a/pkg/encapsulation/ipip.go
+++ b/pkg/encapsulation/ipip.go
@@ -66,7 +66,17 @@ func (i *ipip) Init(base int) error {
 // Rules returns a set of iptables rules that are necessary
 // when traffic between nodes must be encapsulated.
 func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
-	return iptables.IPIPRules(nodes)
+	var rules []iptables.Rule
+	rules = append(rules, iptables.NewChain("filter", "KILO-IPIP"))
+	rules = append(rules, iptables.NewRule("filter", "INPUT", "-m", "comment", "--comment", "Kilo: jump to IPIP chain", "-p", "4", "-j", "KILO-IPIP"))
+	for _, n := range nodes {
+		// Accept encapsulated traffic from peers.
+		rules = append(rules, iptables.NewRule("filter", "KILO-IPIP", "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-s", n.IP.String(), "-j", "ACCEPT"))
+	}
+	// Drop all other IPIP traffic.
+	rules = append(rules, iptables.NewRule("filter", "INPUT", "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-p", "4", "-j", "DROP"))
+
+	return rules
 }
 
 // Set sets the IP address of the IPIP interface.
diff --git a/pkg/iptables/iptables.go b/pkg/iptables/iptables.go
index 56b9442..3963e26 100644
--- a/pkg/iptables/iptables.go
+++ b/pkg/iptables/iptables.go
@@ -49,6 +49,11 @@ type rule struct {
 	spec  []string
 }
 
+// NewRule creates a new iptables rule in the given table and chain.
+func NewRule(table, chain string, spec ...string) Rule {
+	return &rule{table, chain, spec}
+}
+
 func (r *rule) Add(client Client) error {
 	if err := client.AppendUnique(r.table, r.chain, r.spec...); err != nil {
 		return fmt.Errorf("failed to add iptables rule: %v", err)
@@ -80,6 +85,11 @@ type chain struct {
 	chain string
 }
 
+// NewChain creates a new iptables chain in the given table.
+func NewChain(table, name string) Rule {
+	return &chain{table, name}
+}
+
 func (c *chain) Add(client Client) error {
 	if err := client.ClearChain(c.table, c.chain); err != nil {
 		return fmt.Errorf("failed to add iptables chain: %v", err)
@@ -263,22 +273,6 @@ func (c *Controller) CleanUp() error {
 	return c.deleteFromIndex(0, &c.rules)
 }
 
-// IPIPRules returns a set of iptables rules that are necessary
-// when traffic between nodes must be encapsulated with IPIP.
-func IPIPRules(nodes []*net.IPNet) []Rule {
-	var rules []Rule
-	rules = append(rules, &chain{"filter", "KILO-IPIP"})
-	rules = append(rules, &rule{"filter", "INPUT", []string{"-m", "comment", "--comment", "Kilo: jump to IPIP chain", "-p", "4", "-j", "KILO-IPIP"}})
-	for _, n := range nodes {
-		// Accept encapsulated traffic from peers.
-		rules = append(rules, &rule{"filter", "KILO-IPIP", []string{"-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-s", n.IP.String(), "-j", "ACCEPT"}})
-	}
-	// Drop all other IPIP traffic.
-	rules = append(rules, &rule{"filter", "INPUT", []string{"-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-p", "4", "-j", "DROP"}})
-
-	return rules
-}
-
 // ForwardRules returns a set of iptables rules that are necessary
 // when traffic must be forwarded for the overlay.
 func ForwardRules(subnets ...*net.IPNet) []Rule {