From 47e1790a8b4ec932d6e9984485dcb5034009fcae Mon Sep 17 00:00:00 2001
From: alexz <me@alexzaw.dev>
Date: Sat, 17 Jan 2026 17:52:44 +0000
Subject: [PATCH] Add TARGET_SUBNET for iptables rules with /24 CIDR

Keep TARGET_IP as single host, add hardcoded TARGET_SUBNET=10.3.1.0/24
for iptables rules and routes to allow full subnet routing.
---
 apps/cistech-tunnel/shared/host-routing.sh | 35 +++++++++++-----------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/apps/cistech-tunnel/shared/host-routing.sh b/apps/cistech-tunnel/shared/host-routing.sh
index fa48b65..360a2a8 100644
--- a/apps/cistech-tunnel/shared/host-routing.sh
+++ b/apps/cistech-tunnel/shared/host-routing.sh
@@ -10,7 +10,8 @@ ACTION="${1:-start}"
 # Fixed configuration (we assigned these)
 CONTAINER_IP="172.30.0.10"
 BRIDGE_NAME="br-cistech-vpn"
-TARGET_IP="${TARGET_IP:-10.3.1.0/24}"
+TARGET_IP="${TARGET_IP:-10.3.1.0}"
+TARGET_SUBNET="10.3.1.0/24"
 LAN_SUBNET="192.168.0.0/23"
 LAN_INTERFACES="eth0 eth1 wlan0"
 LOG_FILE="/var/log/cistech-routing.log"
@@ -25,10 +26,10 @@ get_lan_interface() {
 }
 
 remove_routes() {
-    log "Removing stale routes for $TARGET_IP..."
+    log "Removing stale routes for $TARGET_SUBNET..."
 
-    # Remove any existing route to TARGET_IP
-    ip route del "$TARGET_IP" 2>/dev/null || true
+    # Remove any existing route to TARGET_SUBNET
+    ip route del "$TARGET_SUBNET" 2>/dev/null || true
 
     log "Stale routes removed"
 }
@@ -40,28 +41,28 @@ apply_routes() {
     log "Applying host routing rules..."
     log "  Container IP: $CONTAINER_IP"
     log "  Bridge: $BRIDGE_NAME"
-    log "  Target Network: $TARGET_IP"
+    log "  Target Subnet: $TARGET_SUBNET"
     log "  LAN interface: ${lan_if:-unknown}"
 
     # Enable IP forwarding
     echo 1 > /proc/sys/net/ipv4/ip_forward
     log "IP forwarding enabled"
 
-    # Add route to TARGET_IP via container
-    ip route replace "$TARGET_IP" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
-    log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME"
+    # Add route to TARGET_SUBNET via container
+    ip route replace "$TARGET_SUBNET" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
+    log "Route added: $TARGET_SUBNET via $CONTAINER_IP dev $BRIDGE_NAME"
 
     # Allow forwarding in DOCKER-USER chain for all LAN interfaces
     for lan_if in $LAN_INTERFACES; do
         # Check if interface exists
         if ip link show "$lan_if" &>/dev/null; then
-            # Allow traffic from LAN to container for TARGET_IP
-            iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \
-                iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT
+            # Allow traffic from LAN to container for TARGET_SUBNET
+            iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT
 
             # Allow return traffic
-            iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
-                iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
             log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
         fi
@@ -76,19 +77,19 @@ apply_routes() {
         log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
     fi
 
-    log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)"
+    log "OK: Host routing applied - $TARGET_SUBNET via $CONTAINER_IP ($BRIDGE_NAME)"
 }
 
 remove_all() {
     log "Removing all routing rules..."
 
     # Remove route
-    ip route del "$TARGET_IP" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
+    ip route del "$TARGET_SUBNET" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
 
     # Remove iptables rules for all LAN interfaces
     for lan_if in $LAN_INTERFACES; do
-        iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
-        iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+        iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
+        iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
     done
 
     # Remove masquerade rule (using nft)