Tailscale iptables rules blocks any non-tailscale IP on 100.64.0.0/10 from working

[bottiger1]

What is the issue?

I have a vm that needs to communicate with another server in the same lan that has the ip 100.100.0.0 which happens to be on the tailscale ip range of 100.64.0.0/10. When I turn on tailscale, I cannot ping or connect to 100.100.0.0 anymore.

I don't have any tailscale ips that use 100.100.0.0 but it is still blocked even if I set ipv4 to false.

I think the reason it is blocked is because of this iptables rule created by tailscale that drops any packets.

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       100.82.80.46         0.0.0.0/0
    0     0 RETURN     all  --  !tailscale0 *       100.115.92.0/23      0.0.0.0/0
   13  1014 DROP       all  --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0    <-------------

Can this rule be removed? What is the point of this rule? Or is there any automated workaround for this?

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

Ubuntu 22.04

Tailscale version

1.68.1

Other software

No response

Bug report

No response

### Tasks

[bottiger1]

Executing this command after tailscale up fixes the problem, but this is a very bad workaround as there doesn't seem to be any hook to execute commands to add or remove this rule, and tailscale always puts it's own rules at the top.

iptables -I INPUT 1 -s 100.100.0.0 -j ACCEPT

I would suggest just removing the iptables rule: DROP all -- !tailscale0 * 100.64.0.0/10

Relevant line is here.

https://github.com/tailscale/tailscale/blob/24976b5bfd201bb9d8c2757024490d58dbf0ce5e/util/linuxfw/iptables_runner.go#L327

If there's some good reason for this rule then I would like to suggest adding a command line option to specify ips to whitelist.