tailscale-ip-forward-script/README.md

# Tailscale NAT Configuration Script

## Overview
This script automates the configuration of NAT (Network Address Translation) rules for Tailscale networking, providing an interactive interface to set up port forwarding and network routing between your local network and Tailscale devices.

## Features

### Core Functionality
- Interactive configuration of NAT and port forwarding rules
- Automatic backup of existing iptables rules
- Support for both default and custom port configurations
- Preservation of essential services (SSH, Tailscale UDP)
- Automatic IP forwarding configuration
- Integration with iptables-persistent for rule persistence

### Key Components
- **Automatic Backup System**: Creates timestamped backups before making any changes
- **Port Preservation**: Maintains access to critical services while forwarding other traffic
- **Tailscale Integration**: Specifically designed to work with Tailscale networking
- **Error Handling**: Comprehensive error checking with automatic rollback on failure

## Prerequisites
- Root access required
- Linux system with iptables
- Tailscale installed and configured
- `iptables-persistent` package (will be installed if missing)

## Usage

### Running the Script
```bash
sudo ./script.sh
```

### Interactive Configuration Steps

1. **Source IP Selection**
   - Choose from available network interfaces
   - Option to enter a custom IP address
   - Automatic interface detection

2. **Target Tailscale IP Selection**
   - Lists available Tailscale devices
   - Option to enter custom Tailscale IP
   - Automatic device name detection

3. **Port Configuration**
   - Default ports (SSH TCP 22, Tailscale UDP 41641)
   - Custom port configuration option
   - Separate TCP and UDP port preservation

4. **Configuration Review**
   - Displays selected configuration
   - Shows source and target details
   - Lists preserved ports
   - Confirmation prompt before applying changes

### Default Port Configuration
- TCP Port: 22 (SSH)
- UDP Port: 41641 (Tailscale)

## Safety Features

### Backup System
- Creates timestamped backups before changes
- Automatic rollback on failure
- Maintains backup history in `/etc/iptables/backup/`

### Error Handling
- Comprehensive error checking
- Automatic configuration rollback
- Detailed error messages
- Verification of applied rules

## Technical Details

### NAT Configuration
- DNAT (Destination NAT) for incoming traffic
- SNAT (Source NAT) for outgoing traffic
- Masquerade rules for subnet handling
- Special handling for Tailscale subnet (100.64.0.0/10)

### Firewall Rules
- Forward chain configuration
- State tracking for connections
- ICMP handling
- Interface-specific rules

## File Locations
- Backup Directory: `/etc/iptables/backup/`
- Main Rules File: `/etc/iptables/rules.v4`
- Sysctl Configuration: `/etc/sysctl.d/99-tailscale.conf`

## Troubleshooting

### Common Issues
1. **Permission Denied**
   - Run the script as root (sudo)
   - Check file permissions

2. **Port Conflicts**
   - Verify port availability
   - Check existing port forwarding rules

3. **Connection Issues**
   - Verify IP forwarding is enabled
   - Check Tailscale connection status
   - Verify interface names and IPs

### Recovery
- Use automatic backup restoration
- Manual restore from `/etc/iptables/backup/`
- Reset to default configuration

## Contributing
Please ensure any contributions maintain:
- Comprehensive error handling
- Automatic backup functionality
- Clear user interaction
- Proper documentation

## Security Notes
- Always review configuration before applying
- Keep backup files secure
- Regularly verify port forwarding rules
- Monitor system logs for unusual activity

```
 _____     _ _ ____            _        ____  _             _    
|_   _|_ _(_) / ___|  ___ __ _| | ___  / ___|| |_ __ _  ___| | __
  | |/ _` | | \___ \ / __/ _` | |/ _ \ \___ \| __/ _` |/ __| |/ /
  | | (_| | | |___) | (_| (_| | |  __/  ___) | || (_| | (__|   < 
  |_|\__,_|_|_|____/ \___\__,_|_|\___| |____/ \__\__,_|\___|_|\_\
```