From f45ae6e544f8057547f122cc602c7ec4efac9d71 Mon Sep 17 00:00:00 2001
From: gyurix <gyurix@gmail.com>
Date: Mon, 15 Jun 2026 08:13:59 +0200
Subject: [PATCH] fix: add iptables package and simplify iptables rules

- Add iptables package in Dockerfile alongside iptables-legacy for compatibility.
- Remove redundant `-m tcp` from iptables commands in set_gateway.sh since `-p tcp` already implies the TCP module when using `--dport`.
---
 Dockerfile     | 2 +-
 set_gateway.sh | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7e276e8..dfd9c63 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,7 +12,7 @@ COPY --from=0 /root/.cargo/bin/boringtun-cli /usr/bin/boringtun
 
 # replace the commented line with the following after service-exec go update
 #RUN apk add --no-cache tini wireguard-tools \
-RUN apk add --no-cache tini wireguard-tools iptables-legacy \
+RUN apk add --no-cache tini wireguard-tools iptables-legacy iptables \
  && apk add --no-cache --virtual .build-deps libcap \
  && setcap cap_net_admin+ep /usr/bin/boringtun \
  && apk del --purge .build-deps \
diff --git a/set_gateway.sh b/set_gateway.sh
index afa91ea..d780e90 100755
--- a/set_gateway.sh
+++ b/set_gateway.sh
@@ -5,10 +5,10 @@ IP_GATEWAY=$(route -n | grep 'UG[ \t]' | awk '{print $2}');
 route add -host $ENDPOINT gw $IP_GATEWAY;
 
 # temporary added iptables lines
-iptables-legacy -t nat -I PREROUTING -i wg0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.103.2:80
-iptables-legacy -t nat -I PREROUTING -i wg0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.103.2:443
-iptables-legacy -t nat -I POSTROUTING -d 172.18.103.0/24 -p tcp -m tcp --dport 80 -j MASQUERADE
-iptables-legacy -t nat -I POSTROUTING -d 172.18.103.0/24 -p tcp -m tcp --dport 443 -j MASQUERADE
+iptables-legacy -t nat -I PREROUTING -i wg0 -p tcp --dport 80 -j DNAT --to-destination 172.18.103.2:80
+iptables-legacy -t nat -I PREROUTING -i wg0 -p tcp --dport 443 -j DNAT --to-destination 172.18.103.2:443
+iptables-legacy -t nat -I POSTROUTING -d 172.18.103.0/24 -p tcp --dport 80 -j MASQUERADE
+iptables-legacy -t nat -I POSTROUTING -d 172.18.103.0/24 -p tcp --dport 443 -j MASQUERADE
 # need to remove after service-exec go update
 
 /etc/wireguard/persistentkeepalive.sh &