Script 11 · Networking Gateway

11. TailScale Gateway

Configures a public VPS as an iptables/Tailscale gateway that forwards selected game/API ports to a private backend node.

Category: Networking Gateway Risk: High Lines: calculating Language: Bash / Linux
Back to index

What this script does

  • Expose selected services through a gateway.
  • Forward game ports over Tailscale.
  • Persist forwarding rules with netfilter-persistent.

Prerequisites

  • Root access
  • Tailscale installed and connected
  • Target Tailscale IP
  • Provider firewall aligned with forwarded ports

Execution flow

  1. Installs iptables-persistent
  2. Detects WAN interface
  3. Validates tailscale0
  4. Flushes iptables chains
  5. Adds DNAT/MSS/MASQUERADE rules
  6. Saves rules

Validation checklist

  • iptables -t nat -S
  • sysctl net.ipv4.ip_forward
  • tailscale status
  • netfilter-persistent save

Operational cautions

  • Flushes firewall chains, which can remove existing security rules.
  • Wrong target IP or port list can break routing.
  • Provider firewall must also allow traffic.

Original script notes

ℹ️ Script Info: Configures the server as a secure VPN gateway using iptables. It forwards game traffic from the public internet through a Tailscale tunnel directly to a private backend server.

Script source
cat << 'EOF' > setup_gateway.sh
#!/bin/bash

# Configuration Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color

log_info() { echo -e "${NC}[INFO] $1"; }
log_success() { echo -e "${GREEN}[SUCCESS] $1${NC}"; }
log_warn() { echo -e "${YELLOW}[WARNING] $1${NC}"; }
log_error() { echo -e "${RED}[ERROR] $1${NC}"; }

echo "========================================================"
echo "   GAME SERVER GATEWAY CONFIGURATION (AUTO-FIX MODE)    "
echo "========================================================"

# ==========================================
# 1. CHECK DEPENDENCIES & AUTO-FIX (APT UPDATE)
# ==========================================
log_info "Checking required system packages..."

if ! dpkg -s iptables-persistent >/dev/null 2>&1; then
    log_warn "Package 'iptables-persistent' not found. Starting auto-fix..."
 
    # Prevent interactive dialog (blue screen) during install
    echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
    echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections

    log_info "Running: sudo apt update..."
    sudo apt update -qq

    log_info "Running: sudo apt install iptables-persistent..."
    sudo DEBIAN_FRONTEND=noninteractive apt install -y iptables-persistent netfilter-persistent

    if [ $? -eq 0 ]; then
        log_success "Packages installed and fixed successfully."
    else
        log_error "Failed to install supporting packages. Check VPS internet."
        exit 1
    fi
else
    log_success "Supporting packages already installed."
fi

# ==========================================
# 2. DETECTION & INPUT
# ==========================================
WAN_IFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
TS_IFACE="tailscale0"

log_info "Internet Interface (WAN) detected: $WAN_IFACE"

# Input IP Target
echo -n "Enter TARGET_IP (Game Server Tailscale IP, E.g.: 100.66.182.75): "
read TARGET_IP

if [ -z "$TARGET_IP" ]; then
    log_error "Target IP cannot be empty!"
    exit 1
fi
log_info "Target locked to: $TARGET_IP"

# ==========================================
# 3. CHECK TAILSCALE CONNECTION
# ==========================================
log_info "Checking status of interface $TS_IFACE..."
MAX_RETRIES=10
RETRY_COUNT=0

while [ ! -d "/sys/class/net/$TS_IFACE" ]; do
    RETRY_COUNT=$(echo "$RETRY_COUNT + 1" | bc)
    if [ $RETRY_COUNT -ge $MAX_RETRIES ]; then
        log_error "Interface $TS_IFACE not found. Ensure Tailscale is logged in ('tailscale up')."
        exit 1
    fi
    echo -n "."
    sleep 2
done
echo ""
log_success "Interface $TS_IFACE active."

# ==========================================
# 4. KERNEL TUNING (PERFORMANCE & FORWARDING)
# ==========================================
log_info "Configuring Linux Kernel..."

# Enable IP Forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null

# Disable strict path validation (rp_filter) so VPN packets aren't dropped
for f in /proc/sys/net/ipv4/conf/{all,default,$WAN_IFACE,$TS_IFACE}/rp_filter; do
    [ -f "$f" ] && echo 2 | sudo tee "$f" > /dev/null
done

# Apply sysctl
sudo sysctl -p > /dev/null 2>&1
log_success "Kernel parameters applied."

# ==========================================
# 5. RESET IPTABLES (CLEANUP)
# ==========================================
log_info "Cleaning old firewall rules..."
sudo iptables -F INPUT
sudo iptables -F FORWARD
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -F PREROUTING
sudo iptables -t mangle -F

# Set Default Policy
sudo iptables -P FORWARD ACCEPT
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT # This is an added rule, user can delete if issues arise
log_success "Firewall successfully reset."

# ==========================================
# 6. EXCEPTION RULES (SAFETY)
# ==========================================
log_info "Applying security rules (SSH & VPN Protection)..."

# Don't disturb running connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Bypass NAT for important ports (SSH, DNS, HTTP, Tailscale)
sudo iptables -t nat -A PREROUTING -p tcp -m multiport --dports 22,53,80,2022,443 -j RETURN
sudo iptables -t nat -A PREROUTING -p udp --dport 41641 -j RETURN

# ==========================================
# 7. TCP OPTIMIZATION (MSS CLAMPING)
# ==========================================
# Crucial so packets don't fragment inside VPN
# Force MSS 1240 on FORWARDED packets (Passing through)
sudo iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
# Force MSS 1240 on INCOMING packets (Pre-routing)
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
# Force MSS 1240 on OUTGOING packets (Post-routing - most effective)
sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
log_success "TCP MSS Clamping enabled (Anti-Packet Loss)."

# ==========================================
# 8. APPLY FORWARDING (WHITELIST)
# ==========================================
log_info "Directing game ports to $TARGET_IP..."

allow_port() {
    local PORT=$1
    local COMMENT=$2
    # 1. DNAT (Bend Traffic)
    sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport $PORT -j DNAT --to-destination $TARGET_IP
    sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p udp --dport $PORT -j DNAT --to-destination $TARGET_IP
    # 2. FORWARD (Allow Through)
    sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p tcp -d $TARGET_IP --dport $PORT -j ACCEPT
    sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p udp -d $TARGET_IP --dport $PORT -j ACCEPT
    echo "   - Port $PORT ($COMMENT) -> OK"
}

allow_range() {
    local START=$1
    local END=$2
    local COMMENT=$3
    sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport $START:$END -j DNAT --to-destination $TARGET_IP
    sudo iptables -t nat -A PREROUTING -i $WAN_IFACE -p udp --dport $START:$END -j DNAT --to-destination $TARGET_IP
    sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p tcp -d $TARGET_IP --dport $START:$END -j ACCEPT
    sudo iptables -A FORWARD -i $WAN_IFACE -o $TS_IFACE -p udp -d $TARGET_IP --dport $START:$END -j ACCEPT
    echo "   - Range $START-$END ($COMMENT) -> OK"
}

# --- PORT LIST (Edit here if needed) ---
allow_port 8080 "Web API"
allow_range 53000 60000 "Game Channels"

# ==========================================
# 9. ALLOW ACCESS FROM INTERNET (INPUT)
# ==========================================
# Open local VPS firewall so packets can enter before forwarding
sudo iptables -A INPUT -p tcp -m multiport --dports 8080,53000:60000 -j ACCEPT
sudo iptables -A INPUT -p udp -m multiport --dports 53000:60000 -j ACCEPT

# ==========================================
# 10. FINALIZATION & SAVE
# ==========================================
log_info "Activating NAT Masquerade..."
sudo iptables -t nat -I POSTROUTING -o $TS_IFACE -j MASQUERADE

log_info "Saving permanent configuration..."
if command -v netfilter-persistent >/dev/null; then
    sudo netfilter-persistent save
    sudo netfilter-persistent reload
    log_success "Configuration saved! Safe from reboot."
else
    log_warn "Failed to save permanently. Check 'netfilter-persistent'."
fi

echo ""
echo "========================================================"
echo "   SETUP COMPLETE! GATEWAY ACTIVE: $TARGET_IP           "
echo "========================================================"
echo "Script saved at: $(pwd)/setup_gateway.sh"
echo "You can run it again anytime if needed."
EOF

# Give execution permission and run
chmod +x setup_gateway.sh && sudo ./setup_gateway.sh
Done