diff --git a/cmd/kg/main.go b/cmd/kg/main.go
index 1834653..b2db9ea 100644
--- a/cmd/kg/main.go
+++ b/cmd/kg/main.go
@@ -115,6 +115,7 @@ var (
 	resyncPeriod          time.Duration
 	iptablesForwardRule   bool
 	prioritisePrivateAddr bool
+	dropOtherIpIpTraffic  bool
 
 	printVersion bool
 	logLevel     string
@@ -145,6 +146,7 @@ func init() {
 	cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?")
 	cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!")
 	cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.")
+	cmd.Flags().BoolVar(&dropOtherIpIpTraffic, "drop-other-ipip-traffic", true, "Drop other IP-over-IP traffic (not available in compatibility mode).")
 
 	cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit")
 	cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels))
@@ -216,7 +218,7 @@ func runRoot(_ *cobra.Command, _ []string) error {
 	case "cilium":
 		enc = encapsulation.NewCilium(e)
 	default:
-		enc = encapsulation.NewIPIP(e)
+		enc = encapsulation.NewIPIP(e, dropOtherIpIpTraffic)
 	}
 
 	gr := mesh.Granularity(granularity)
diff --git a/pkg/encapsulation/ipip.go b/pkg/encapsulation/ipip.go
index d92b39f..0915258 100644
--- a/pkg/encapsulation/ipip.go
+++ b/pkg/encapsulation/ipip.go
@@ -23,13 +23,14 @@ import (
 )
 
 type ipip struct {
-	iface    int
-	strategy Strategy
+	iface                int
+	strategy             Strategy
+	dropOtherIpIpTraffic bool
 }
 
 // NewIPIP returns an encapsulator that uses IPIP.
-func NewIPIP(strategy Strategy) Encapsulator {
-	return &ipip{strategy: strategy}
+func NewIPIP(strategy Strategy, dropOtherIpIpTraffic bool) Encapsulator {
+	return &ipip{strategy: strategy, dropOtherIpIpTraffic: dropOtherIpIpTraffic}
 }
 
 // CleanUp will remove any created IPIP devices.
@@ -76,9 +77,11 @@ func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
 		// Accept encapsulated traffic from peers.
 		rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT"))
 	}
-	// Drop all other IPIP traffic.
-	rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
-	rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
+	if i.dropOtherIpIpTraffic {
+		// Drop all other IPIP traffic.
+		rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
+		rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
+	}
 
 	return rules
 }