From 3330f2a62f0a0b7386f46f251a008481d7a50170 Mon Sep 17 00:00:00 2001 From: Jason Staack Date: Sat, 14 Mar 2026 16:24:38 -0500 Subject: [PATCH] feat(vpn): add tenant isolation iptables rules to forwarding script Co-Authored-By: Claude Opus 4.6 (1M context) --- .../custom-cont-init.d/10-forwarding.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100755 docker-data/wireguard/custom-cont-init.d/10-forwarding.sh diff --git a/docker-data/wireguard/custom-cont-init.d/10-forwarding.sh b/docker-data/wireguard/custom-cont-init.d/10-forwarding.sh new file mode 100755 index 0000000..5e83e5e --- /dev/null +++ b/docker-data/wireguard/custom-cont-init.d/10-forwarding.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# Enable forwarding between Docker network and WireGuard tunnel +# Idempotent: check before adding to prevent duplicates on restart +iptables -C FORWARD -i eth0 -o wg0 -j ACCEPT 2>/dev/null || iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT +iptables -C FORWARD -i wg0 -o eth0 -j ACCEPT 2>/dev/null || iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT + +# Block cross-subnet traffic on wg0 (tenant isolation) +# Peers in 10.10.1.0/24 cannot reach peers in 10.10.2.0/24 +iptables -C FORWARD -i wg0 -o wg0 -j DROP 2>/dev/null || iptables -A FORWARD -i wg0 -o wg0 -j DROP + +# Block IPv6 forwarding on wg0 (prevent link-local bypass) +ip6tables -C FORWARD -i wg0 -j DROP 2>/dev/null || ip6tables -A FORWARD -i wg0 -j DROP + +# NAT for return traffic +iptables -t nat -C POSTROUTING -o wg0 -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE + +echo "WireGuard forwarding and tenant isolation rules applied"