diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
index f6b493cb7afdc..d63395f8a19f0 100644
--- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
+++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
@@ -715,6 +715,37 @@ spec:
           - name: cni-path
             mountPath: /host/opt/cni/bin
       {{- end }} # .Values.cni.install
+      - name: firewall-pods
+        image: {{ include "cilium.image" .Values.image | quote }}
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/bash
+        - -exc
+        - |
+          pref=32
+          interface=$(ip route | awk '/^default/ { print $5 }')
+          tc qdisc add dev "${interface}" clsact || true
+          tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
+          handle=0
+          for cidr in ${POD_CIDRS}; do
+            handle=$((handle + 1))
+            tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
+          done
+        env:
+        - name: POD_CIDRS
+          valueFrom:
+            configMapKeyRef:
+              key: encryption-strict-mode-pod-cidrs
+              name: cilium-config
+              optional: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
       restartPolicy: Always
       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
       serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}