diff --git a/debian/ngcp-rtpengine-iptables-setup b/debian/ngcp-rtpengine-iptables-setup
index 3b9045db7..23e108d90 100755
--- a/debian/ngcp-rtpengine-iptables-setup
+++ b/debian/ngcp-rtpengine-iptables-setup
@@ -29,6 +29,10 @@ if ! test -z "$SET_GROUP"; then
   test -z "$PGID" || MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_gid=$PGID"
 fi
 
+if ! test -z "$SET_MASK"; then
+  MODPROBE_OPTIONS="$MODPROBE_OPTIONS proc_mask=$SET_MASK"
+fi
+
 ###
 
 if [ -x "$(which ngcp-virt-identify 2>/dev/null)" ]; then
diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c
index 5b96678ce..36d59acbb 100644
--- a/kernel-module/xt_RTPENGINE.c
+++ b/kernel-module/xt_RTPENGINE.c
@@ -180,11 +180,14 @@ static uint proc_uid = 0;
 module_param(proc_uid, uint, 0);
 MODULE_PARM_DESC(proc_uid, "rtpengine procfs tree user id");
 
-
 static kgid_t proc_kgid;
 static uint proc_gid = 0;
 module_param(proc_gid, uint, 0);
 MODULE_PARM_DESC(proc_gid, "rtpengine procfs tree group id");
+
+static int proc_mask;
+module_param(proc_mask, hexint, 0);
+MODULE_PARM_DESC(proc_mask, "rtpengine procfs tree mode mask");
 #endif
 
 static uint stream_packets_list_limit = 10;
@@ -779,7 +782,7 @@ static int table_create_proc(struct rtpengine_table *t, uint32_t id) {
 
 	sprintf(num, "%u", id);
 
-	t->proc_root = proc_mkdir_user(num, S_IRUGO | S_IXUGO, my_proc_root);
+	t->proc_root = proc_mkdir_user(num, (S_IRUGO | S_IXUGO) & ~proc_mask, my_proc_root);
 	if (!t->proc_root)
 		return -1;