alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix host routing: use nft for NAT, insert FORWARD rules before Cisco chains
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
- host-routing.sh: Use nft instead of iptables for NAT masquerade
  (iptables-nft backend doesn't support iptables -t nat commands)
- cisco-vpn: Use -I FORWARD 1 instead of -A FORWARD to insert rules
  BEFORE Cisco VPN chains (which have catch-all DROP rules)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Alex Zaw
2026-01-17 09:21:09 +00:00
parent 4c067c14d8
commit 0dca06fbc8
2 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/rego-tunnel/shared/cisco-vpn
View File

@@ -341,28 +341,29 @@ setup_forwarding() {
log DEBUG "NAT masquerade for container network already exists"
fi
# Forward rules
# Forward rules - MUST be inserted at position 1 to run BEFORE cisco VPN chains
# The cisco VPN chains have catch-all DROP rules that would block our traffic
if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (to target)" iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT
run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
else
log DEBUG "Forward rule (to target) already exists"
fi
if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (from target)" iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT
run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
else
log DEBUG "Forward rule (from target) already exists"
fi
# Accept forwarding from container network
if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (from container network)" iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
else
log DEBUG "Forward rule (from container network) already exists"
fi
if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (to container network)" iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
else
log DEBUG "Forward rule (to container network) already exists"
fi