alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add TARGET_SUBNET for iptables rules with /24 CIDR

Browse Source 
Keep TARGET_IP as single host, add hardcoded TARGET_SUBNET=10.3.1.0/24
for iptables rules and routes to allow full subnet routing.
This commit is contained in:
Alex Zaw
2026-01-17 17:52:44 +00:00
parent b67b8f18a4
commit 47e1790a8b
1 changed files with 18 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
apps/cistech-tunnel/shared/host-routing.sh
View File

@@ -10,7 +10,8 @@ ACTION="${1:-start}"
# Fixed configuration (we assigned these) # Fixed configuration (we assigned these)
CONTAINER_IP="172.30.0.10" CONTAINER_IP="172.30.0.10"
BRIDGE_NAME="br-cistech-vpn" BRIDGE_NAME="br-cistech-vpn"
TARGET_IP="${TARGET_IP:-10.3.1.0/24}" TARGET_IP="${TARGET_IP:-10.3.1.0}"
TARGET_SUBNET="10.3.1.0/24"
LAN_SUBNET="192.168.0.0/23" LAN_SUBNET="192.168.0.0/23"
LAN_INTERFACES="eth0 eth1 wlan0" LAN_INTERFACES="eth0 eth1 wlan0"
LOG_FILE="/var/log/cistech-routing.log" LOG_FILE="/var/log/cistech-routing.log"
@@ -25,10 +26,10 @@ get_lan_interface() {
} }
remove_routes() { remove_routes() {
log "Removing stale routes for $TARGET_IP..." log "Removing stale routes for $TARGET_SUBNET..."
# Remove any existing route to TARGET_IP # Remove any existing route to TARGET_SUBNET
ip route del "$TARGET_IP" 2>/dev/null || true ip route del "$TARGET_SUBNET" 2>/dev/null || true
log "Stale routes removed" log "Stale routes removed"
} }
@@ -40,28 +41,28 @@ apply_routes() {
log "Applying host routing rules..." log "Applying host routing rules..."
log " Container IP: $CONTAINER_IP" log " Container IP: $CONTAINER_IP"
log " Bridge: $BRIDGE_NAME" log " Bridge: $BRIDGE_NAME"
log " Target Network: $TARGET_IP" log " Target Subnet: $TARGET_SUBNET"
log " LAN interface: ${lan_if:-unknown}" log " LAN interface: ${lan_if:-unknown}"
# Enable IP forwarding # Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
log "IP forwarding enabled" log "IP forwarding enabled"
# Add route to TARGET_IP via container # Add route to TARGET_SUBNET via container
ip route replace "$TARGET_IP" via "$CONTAINER_IP" dev "$BRIDGE_NAME" ip route replace "$TARGET_SUBNET" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME" log "Route added: $TARGET_SUBNET via $CONTAINER_IP dev $BRIDGE_NAME"
# Allow forwarding in DOCKER-USER chain for all LAN interfaces # Allow forwarding in DOCKER-USER chain for all LAN interfaces
for lan_if in $LAN_INTERFACES; do for lan_if in $LAN_INTERFACES; do
# Check if interface exists # Check if interface exists
if ip link show "$lan_if" &>/dev/null; then if ip link show "$lan_if" &>/dev/null; then
# Allow traffic from LAN to container for TARGET_IP # Allow traffic from LAN to container for TARGET_SUBNET
iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \ iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || \
iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT
# Allow return traffic # Allow return traffic
iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \ iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME" log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
fi fi
@@ -76,19 +77,19 @@ apply_routes() {
log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME" log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
fi fi
log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)" log "OK: Host routing applied - $TARGET_SUBNET via $CONTAINER_IP ($BRIDGE_NAME)"
} }
remove_all() { remove_all() {
log "Removing all routing rules..." log "Removing all routing rules..."
# Remove route # Remove route
ip route del "$TARGET_IP" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true ip route del "$TARGET_SUBNET" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
# Remove iptables rules for all LAN interfaces # Remove iptables rules for all LAN interfaces
for lan_if in $LAN_INTERFACES; do for lan_if in $LAN_INTERFACES; do
iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
done done
# Remove masquerade rule (using nft) # Remove masquerade rule (using nft)