From 7c76016fcffdf3044444063e0cf092c475f6cee4 Mon Sep 17 00:00:00 2001 From: alexz Date: Sat, 17 Jan 2026 09:26:18 +0000 Subject: [PATCH] Fix FORWARD rules: wait for Cisco chains, then delete+reinsert at pos 1 After VPN reconnects, Cisco agent creates its chains asynchronously, pushing our ACCEPT rules down where they're ineffective. Fix: 1. Wait up to 30s for ciscovpn chain to exist 2. Delete any existing rules (they may be in wrong position) 3. Insert fresh rules at position 1 Co-Authored-By: Claude Opus 4.5 --- apps/rego-tunnel/shared/cisco-vpn | 44 ++++++++++++++++--------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/apps/rego-tunnel/shared/cisco-vpn b/apps/rego-tunnel/shared/cisco-vpn index 70dca5f..c27f95b 100755 --- a/apps/rego-tunnel/shared/cisco-vpn +++ b/apps/rego-tunnel/shared/cisco-vpn @@ -341,32 +341,34 @@ setup_forwarding() { log DEBUG "NAT masquerade for container network already exists" fi - # Forward rules - MUST be inserted at position 1 to run BEFORE cisco VPN chains + # Forward rules - MUST be at position 1 to run BEFORE cisco VPN chains # The cisco VPN chains have catch-all DROP rules that would block our traffic - if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then - run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT + + # Wait for Cisco to create its chains (they appear after VPN connects) + local wait_count=0 + while ! iptables -L ciscovpn -n &>/dev/null && [ $wait_count -lt 30 ]; do + log DEBUG "Waiting for Cisco VPN chains to be created..." + sleep 1 + ((wait_count++)) + done + + if iptables -L ciscovpn -n &>/dev/null; then + log DEBUG "Cisco VPN chains detected" else - log DEBUG "Forward rule (to target) already exists" + log WARN "Cisco VPN chains not created after ${wait_count}s - proceeding anyway" fi - if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then - run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT - else - log DEBUG "Forward rule (from target) already exists" - fi + # Remove any existing rules first (ignore errors if they don't exist) + iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true + iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true + iptables -D FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null || true + iptables -D FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null || true - # Accept forwarding from container network - if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then - run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT - else - log DEBUG "Forward rule (from container network) already exists" - fi - - if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then - run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT - else - log DEBUG "Forward rule (to container network) already exists" - fi + # Insert at position 1 (reverse order so they end up in correct order) + run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT + run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT + run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT + run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT # Cisco VPN chain bypass (insert at top if chain exists) if iptables -L ciscovpn -n &>/dev/null; then