@@ -1,22 +1,22 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Host routing script for cistech-tunnel
|
||||
# Routes target subnets through the VPN container
|
||||
# Host routing script for rego-tunnel
|
||||
# Routes TARGET_IP through the VPN container
|
||||
#
|
||||
set -euo pipefail
|
||||
|
||||
ACTION="${1:-start}"
|
||||
|
||||
# Fixed configuration
|
||||
CONTAINER_IP="172.30.0.10"
|
||||
BRIDGE_NAME="br-vpn-static"
|
||||
TARGET_SUBNETS="10.3.1.0/24 10.255.255.0/24"
|
||||
# Fixed configuration (we assigned these)
|
||||
CONTAINER_IP="172.31.0.10"
|
||||
BRIDGE_NAME="br-rego-vpn"
|
||||
TARGET_IP="${TARGET_IP:-10.35.33.230}"
|
||||
LAN_SUBNET="192.168.0.0/23"
|
||||
LAN_INTERFACES="eth0 eth1 wlan0"
|
||||
LOG_FILE="/var/log/cistech-routing.log"
|
||||
LOG_FILE="/var/log/rego-routing.log"
|
||||
|
||||
log() {
|
||||
local msg="[$(date '+%Y-%m-%d %H:%M:%S')] [cistech-routing] $*"
|
||||
local msg="[$(date '+%Y-%m-%d %H:%M:%S')] [rego-routing] $*"
|
||||
echo "$msg" | tee -a "$LOG_FILE" >&2
|
||||
}
|
||||
|
||||
@@ -25,10 +25,12 @@ get_lan_interface() {
|
||||
}
|
||||
|
||||
remove_routes() {
|
||||
log "Removing stale routes..."
|
||||
for subnet in $TARGET_SUBNETS; do
|
||||
ip route del "$subnet" 2>/dev/null || true
|
||||
done
|
||||
log "Removing stale routes for $TARGET_IP..."
|
||||
|
||||
# Remove any existing route to TARGET_IP
|
||||
ip route del "$TARGET_IP" 2>/dev/null || true
|
||||
ip route del "$TARGET_IP/32" 2>/dev/null || true
|
||||
|
||||
log "Stale routes removed"
|
||||
}
|
||||
|
||||
@@ -39,35 +41,35 @@ apply_routes() {
|
||||
log "Applying host routing rules..."
|
||||
log " Container IP: $CONTAINER_IP"
|
||||
log " Bridge: $BRIDGE_NAME"
|
||||
log " Target subnets: $TARGET_SUBNETS"
|
||||
log " Target IP: $TARGET_IP"
|
||||
log " LAN interface: ${lan_if:-unknown}"
|
||||
|
||||
# Enable IP forwarding
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
log "IP forwarding enabled"
|
||||
|
||||
# Add routes to target subnets via container
|
||||
for subnet in $TARGET_SUBNETS; do
|
||||
ip route replace "$subnet" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
|
||||
log "Route added: $subnet via $CONTAINER_IP dev $BRIDGE_NAME"
|
||||
done
|
||||
# Add route to TARGET_IP via container
|
||||
ip route replace "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
|
||||
log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME"
|
||||
|
||||
# Allow forwarding in DOCKER-USER chain for all LAN interfaces
|
||||
for lan_if in $LAN_INTERFACES; do
|
||||
# Check if interface exists
|
||||
if ip link show "$lan_if" &>/dev/null; then
|
||||
# Allow traffic from LAN to container bridge
|
||||
iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT 2>/dev/null || \
|
||||
iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT
|
||||
# Allow traffic from LAN to container for TARGET_IP
|
||||
iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \
|
||||
iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT
|
||||
|
||||
# Allow return traffic
|
||||
iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
|
||||
iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
|
||||
iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
|
||||
fi
|
||||
done
|
||||
|
||||
# Masquerade traffic from LAN subnet to VPN bridge (using nft)
|
||||
# Masquerade traffic from LAN subnet to VPN bridge (so return traffic routes correctly)
|
||||
# Use nft since iptables-nft backend doesn't support iptables -t nat commands
|
||||
if ! nft list chain ip nat POSTROUTING 2>/dev/null | grep -q "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade"; then
|
||||
nft add rule ip nat POSTROUTING ip saddr "$LAN_SUBNET" oifname "$BRIDGE_NAME" counter masquerade
|
||||
log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
|
||||
@@ -75,21 +77,19 @@ apply_routes() {
|
||||
log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
|
||||
fi
|
||||
|
||||
log "OK: Host routing applied"
|
||||
log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)"
|
||||
}
|
||||
|
||||
remove_all() {
|
||||
log "Removing all routing rules..."
|
||||
|
||||
# Remove routes
|
||||
for subnet in $TARGET_SUBNETS; do
|
||||
ip route del "$subnet" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
|
||||
done
|
||||
# Remove route
|
||||
ip route del "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
|
||||
|
||||
# Remove iptables rules for all LAN interfaces
|
||||
for lan_if in $LAN_INTERFACES; do
|
||||
iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT 2>/dev/null || true
|
||||
iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
|
||||
iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
|
||||
iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
|
||||
done
|
||||
|
||||
# Remove masquerade rule (using nft)
|
||||
|
||||
Reference in New Issue
Block a user