Script 11 · Networking Gateway
11. TailScale Gateway
Configures a public VPS as an iptables/Tailscale gateway that forwards selected game/API ports to a private backend node.
Category: Networking Gateway
Risk: High
Lines: calculating
Language: Bash / Linux
What this script does
- Expose selected services through a gateway.
- Forward game ports over Tailscale.
- Persist forwarding rules with netfilter-persistent.
Prerequisites
- Root access
- Tailscale installed and connected
- Target Tailscale IP
- Provider firewall aligned with forwarded ports
Execution flow
- Installs iptables-persistent
- Detects WAN interface
- Validates tailscale0
- Flushes iptables chains
- Adds DNAT/MSS/MASQUERADE rules
- Saves rules
Validation checklist
- iptables -t nat -S
- sysctl net.ipv4.ip_forward
- tailscale status
- netfilter-persistent save
Operational cautions
- Flushes firewall chains, which can remove existing security rules.
- Wrong target IP or port list can break routing.
- Provider firewall must also allow traffic.
Original script notes
ℹ️ Script Info: Configures the server as a secure VPN gateway using iptables. It forwards game traffic from the public internet through a Tailscale tunnel directly to a private backend server.
cat << 'EOF' > setup_gateway.sh
#!/bin/bash
# Configuration Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
log_info() { echo -e "${NC}[INFO] $1"; }
log_success() { echo -e "${GREEN}[SUCCESS] $1${NC}"; }
log_warn() { echo -e "${YELLOW}[WARNING] $1${NC}"; }
log_error() { echo -e "${RED}[ERROR] $1${NC}"; }
echo "========================================================"
echo " GAME SERVER GATEWAY CONFIGURATION (AUTO-FIX MODE) "
echo "========================================================"
# ==========================================
# 1. CHECK DEPENDENCIES & AUTO-FIX (APT UPDATE)
# ==========================================
log_info "Checking required system packages..."
if ! dpkg -s iptables-persistent >/dev/null 2>&1; then
log_warn "Package 'iptables-persistent' not found. Starting auto-fix..."
# Prevent interactive dialog (blue screen) during install
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
log_info "Running: sudo apt update..."
sudo apt update -qq
log_info "Running: sudo apt install iptables-persistent..."
sudo DEBIAN_FRONTEND=noninteractive apt install -y iptables-persistent netfilter-persistent
if [ $? -eq 0 ]; then
log_success "Packages installed and fixed successfully."
else
log_error "Failed to install supporting packages. Check VPS internet."
exit 1
fi
else
log_success "Supporting packages already installed."
fi
# ==========================================
# 2. DETECTION & INPUT
# ==========================================
WAN_IFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
TS_IFACE="tailscale0"
log_info "Internet Interface (WAN) detected: $WAN_IFACE"
# Input IP Target
echo -n "Enter TARGET_IP (Game Server Tailscale IP, E.g.: 100.66.182.75): "
read TARGET_IP
if [ -z "$TARGET_IP" ]; then
log_error "Target IP cannot be empty!"
exit 1
fi
log_info "Target locked to: $TARGET_IP"
# ==========================================
# 3. CHECK TAILSCALE CONNECTION
# ==========================================
log_info "Checking status of interface $TS_IFACE..."
MAX_RETRIES=10
RETRY_COUNT=0
while [ ! -d "/sys/class/net/$TS_IFACE" ]; do
RETRY_COUNT=$(echo "$RETRY_COUNT + 1" | bc)
if [ $RETRY_COUNT -ge $MAX_RETRIES ]; then
log_error "Interface $TS_IFACE not found. Ensure Tailscale is logged in ('tailscale up')."
exit 1
fi
echo -n "."
sleep 2
done
echo ""
log_success "Interface $TS_IFACE active."
# ==========================================
# 4. KERNEL TUNING (PERFORMANCE & FORWARDING)
# ==========================================
log_info "Configuring Linux Kernel..."
# Enable IP Forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
# Disable strict path validation (rp_filter) so VPN packets aren't dropped
for f in /proc/sys/net/ipv4/conf/{all,default,$WAN_IFACE,$TS_IFACE}/rp_filter; do
[ -f "$f" ] && echo 2 | sudo tee "$f" > /dev/null
done
# Apply sysctl
sudo sysctl -p > /dev/null 2>&1
log_success "Kernel parameters applied."
# ==========================================
# 5. RESET IPTABLES (CLEANUP)
# ==========================================
log_info "Cleaning old firewall rules..."
sudo iptables -F INPUT
sudo iptables -F FORWARD
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -F PREROUTING
sudo iptables -t mangle -F
# Set Default Policy
sudo iptables -P FORWARD ACCEPT
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT # This is an added rule, user can delete if issues arise
log_success "Firewall successfully reset."
# ==========================================
# 6. EXCEPTION RULES (SAFETY)
# ==========================================
log_info "Applying security rules (SSH & VPN Protection)..."
# Don't disturb running connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Bypass NAT for important ports (SSH, DNS, HTTP, Tailscale)
sudo iptables -t nat -A PREROUTING -p tcp -m multiport --dports 22,53,80,2022,443 -j RETURN
sudo iptables -t nat -A PREROUTING -p udp --dport 41641 -j RETURN
# ==========================================
# 7. TCP OPTIMIZATION (MSS CLAMPING)
# ==========================================
# Crucial so packets don't fragment inside VPN
# Force MSS 1240 on FORWARDED packets (Passing through)
sudo iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
# Force MSS 1240 on INCOMING packets (Pre-routing)
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
# Force MSS 1240 on OUTGOING packets (Post-routing - most effective)
sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
log_success "TCP MSS Clamping enabled (Anti-Packet Loss)."
# ==========================================
# 8. APPLY FORWARDING (WHITELIST)
# ==========================================
log_info "Directing game ports to $TARGET_IP..."
allow_port() {
local PORT=$1
local COMMENT=$2
# 1. DNAT (Bend Traffic)
sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport $PORT -j DNAT --to-destination $TARGET_IP
sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p udp --dport $PORT -j DNAT --to-destination $TARGET_IP
# 2. FORWARD (Allow Through)
sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p tcp -d $TARGET_IP --dport $PORT -j ACCEPT
sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p udp -d $TARGET_IP --dport $PORT -j ACCEPT
echo " - Port $PORT ($COMMENT) -> OK"
}
allow_range() {
local START=$1
local END=$2
local COMMENT=$3
sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport $START:$END -j DNAT --to-destination $TARGET_IP
sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p udp --dport $START:$END -j DNAT --to-destination $TARGET_IP
sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p tcp -d $TARGET_IP --dport $START:$END -j ACCEPT
sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p udp -d $TARGET_IP --dport $START:$END -j ACCEPT
echo " - Range $START-$END ($COMMENT) -> OK"
}
# --- PORT LIST (Edit here if needed) ---
allow_port 8080 "Web API"
allow_range 53000 60000 "Game Channels"
# ==========================================
# 9. ALLOW ACCESS FROM INTERNET (INPUT)
# ==========================================
# Open local VPS firewall so packets can enter before forwarding
sudo iptables -A INPUT -p tcp -m multiport --dports 8080,53000:60000 -j ACCEPT
sudo iptables -A INPUT -p udp -m multiport --dports 53000:60000 -j ACCEPT
# ==========================================
# 10. FINALIZATION & SAVE
# ==========================================
log_info "Activating NAT Masquerade..."
sudo iptables -t nat -I POSTROUTING -o $TS_IFACE -j MASQUERADE
log_info "Saving permanent configuration..."
if command -v netfilter-persistent >/dev/null; then
sudo netfilter-persistent save
sudo netfilter-persistent reload
log_success "Configuration saved! Safe from reboot."
else
log_warn "Failed to save permanently. Check 'netfilter-persistent'."
fi
echo ""
echo "========================================================"
echo " SETUP COMPLETE! GATEWAY ACTIVE: $TARGET_IP "
echo "========================================================"
echo "Script saved at: $(pwd)/setup_gateway.sh"
echo "You can run it again anytime if needed."
EOF
# Give execution permission and run
chmod +x setup_gateway.sh && sudo ./setup_gateway.sh