From 901094f60a42ba440fc1881bf18d4a80da044f25 Mon Sep 17 00:00:00 2001
From: Dmitrii Iurco <dmitrii.iurco@gmail.com>
Date: Tue, 21 Apr 2026 01:14:49 -0400
Subject: [PATCH] =?UTF-8?q?feat:=20routing=20page=20=E2=80=94=20port=20for?=
 =?UTF-8?q?warding=20tab,=20live=20iptables,=20diagnostics,=20firewall=20d?=
 =?UTF-8?q?elete?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend:
- routing_manager.remove_firewall_rule(): remove stored rule + iptables -D
- routing_manager.get_live_iptables(): dump filter/nat tables from cell-wireguard
- DELETE /api/routing/firewall/<rule_id> endpoint (was missing)
- GET /api/routing/live-iptables endpoint

Frontend Routing.jsx — 7 tabs:
- Overview: proper routing table with destination/gateway/interface columns
- Port Forwarding: clean DNAT form (protocol, ext port → internal IP:port)
- NAT Rules: MASQUERADE/SNAT only, cleaner layout
- Peer Routes: IP route entries through VPN peers
- Firewall: custom rules with working delete button
- Live iptables: read-only terminal view of actual running rules in cell-wireguard
- Diagnostics: ping + traceroute test from server with output display

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/app.py                  |   15 +
 api/routing_manager.py      |   43 +
 webui/src/pages/Routing.jsx | 1577 +++++++++++++++++------------------
 webui/src/services/api.js   |    1 +
 4 files changed, 809 insertions(+), 827 deletions(-)

diff --git a/api/app.py b/api/app.py
index 4742029..228d0ee 100644
--- a/api/app.py
+++ b/api/app.py
@@ -1619,6 +1619,21 @@ def add_firewall_rule():
         logger.error(f"Error adding firewall rule: {e}")
         return jsonify({"error": str(e)}), 500
 
+@app.route('/api/routing/firewall/<rule_id>', methods=['DELETE'])
+def remove_firewall_rule(rule_id):
+    try:
+        result = routing_manager.remove_firewall_rule(rule_id)
+        return jsonify({'success': result}), (200 if result else 404)
+    except Exception as e:
+        return jsonify({'error': str(e)}), 500
+
+@app.route('/api/routing/live-iptables', methods=['GET'])
+def get_live_iptables():
+    try:
+        return jsonify(routing_manager.get_live_iptables())
+    except Exception as e:
+        return jsonify({'error': str(e)}), 500
+
 @app.route('/api/routing/connectivity', methods=['POST'])
 def test_routing_connectivity():
     """Test routing connectivity."""
diff --git a/api/routing_manager.py b/api/routing_manager.py
index f117c88..5282557 100644
--- a/api/routing_manager.py
+++ b/api/routing_manager.py
@@ -485,6 +485,49 @@ class RoutingManager(BaseServiceManager):
             logger.error(f"Failed to get routing logs: {e}")
             return {'error': str(e)}
     
+    def remove_firewall_rule(self, rule_id: str) -> bool:
+        """Remove a stored firewall rule and delete it from iptables."""
+        try:
+            rules = self._load_rules()
+            rule = next((r for r in rules['firewall_rules'] if r['id'] == rule_id), None)
+            if not rule:
+                return False
+            rules['firewall_rules'] = [r for r in rules['firewall_rules'] if r['id'] != rule_id]
+            self._save_rules(rules)
+            try:
+                cmd = ['iptables', '-D', rule['rule_type'],
+                       '-s', rule['source'], '-d', rule['destination']]
+                if rule.get('protocol') and rule['protocol'] != 'ALL':
+                    cmd += ['-p', rule['protocol'].lower()]
+                if rule.get('port'):
+                    cmd += ['--dport', str(rule['port'])]
+                if rule.get('port_range'):
+                    cmd += ['--dport', rule['port_range'].replace('-', ':')]
+                cmd += ['-j', rule['action']]
+                subprocess.run(cmd, capture_output=True, timeout=10)
+            except Exception as e:
+                logger.warning(f"iptables -D failed (rule may already be gone): {e}")
+            logger.info(f"Removed firewall rule {rule_id}")
+            return True
+        except Exception as e:
+            logger.error(f"Failed to remove firewall rule: {e}")
+            return False
+
+    def get_live_iptables(self) -> dict:
+        """Return live iptables rules from the WireGuard container."""
+        out = {}
+        for table in ('filter', 'nat'):
+            try:
+                r = subprocess.run(
+                    ['docker', 'exec', 'cell-wireguard',
+                     'iptables', '-t', table, '-L', '-n', '-v', '--line-numbers'],
+                    capture_output=True, text=True, timeout=10
+                )
+                out[table] = r.stdout if r.returncode == 0 else r.stderr
+            except Exception as e:
+                out[table] = str(e)
+        return out
+
     def get_nat_rules(self):
         """Return all NAT rules."""
         rules = self._load_rules()
diff --git a/webui/src/pages/Routing.jsx b/webui/src/pages/Routing.jsx
index 612e479..69403e4 100644
--- a/webui/src/pages/Routing.jsx
+++ b/webui/src/pages/Routing.jsx
@@ -1,827 +1,750 @@
-import { useState, useEffect } from 'react';
-import { Plus, Trash2, Wifi, Shield, Activity, Settings } from 'lucide-react';
-import { routingAPI } from '../services/api';
-
-function Routing() {
-  const [routingStatus, setRoutingStatus] = useState(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [activeTab, setActiveTab] = useState('overview');
-  // NAT management state
-  const [natRules, setNatRules] = useState([]);
-  const [natLoading, setNatLoading] = useState(false);
-  const [natError, setNatError] = useState(null);
-  const [showNatForm, setShowNatForm] = useState(false);
-  const [newNat, setNewNat] = useState({ source_network: '', target_interface: '', masquerade: true, nat_type: 'MASQUERADE', protocol: 'ALL', external_port: '', internal_ip: '', internal_port: '' });
-  const [natSubmitting, setNatSubmitting] = useState(false);
-  // Peer Routes management state
-  const [peerRoutes, setPeerRoutes] = useState([]);
-  const [peersLoading, setPeersLoading] = useState(false);
-  const [peersError, setPeersError] = useState(null);
-  const [showPeerForm, setShowPeerForm] = useState(false);
-  const [newPeerRoute, setNewPeerRoute] = useState({ peer_name: '', peer_ip: '', allowed_networks: '', route_type: 'lan' });
-  const [peerSubmitting, setPeerSubmitting] = useState(false);
-  // Firewall Rules management state
-  const [firewallRules, setFirewallRules] = useState([]);
-  const [fwLoading, setFwLoading] = useState(false);
-  const [fwError, setFwError] = useState(null);
-  const [showFwForm, setShowFwForm] = useState(false);
-  const [newFwRule, setNewFwRule] = useState({ rule_type: 'INPUT', source: '', destination: '', action: 'ACCEPT', protocol: 'ALL', port_range: '' });
-  const [fwSubmitting, setFwSubmitting] = useState(false);
-  // Network Configuration state
-  const [networkStatus, setNetworkStatus] = useState(null);
-  const [networkLoading, setNetworkLoading] = useState(false);
-  const [networkError, setNetworkError] = useState(null);
-  const [isSettingUp, setIsSettingUp] = useState(false);
-
-  useEffect(() => {
-    fetchRoutingStatus();
-    fetchNatRules();
-    fetchPeerRoutes();
-    fetchFirewallRules();
-    fetchNetworkStatus();
-  }, []);
-
-  const fetchRoutingStatus = async () => {
-    try {
-      const response = await routingAPI.getStatus();
-      setRoutingStatus(response.data);
-    } catch (error) {
-      console.error('Failed to fetch routing status:', error);
-    } finally {
-      setIsLoading(false);
-    }
-  };
-
-  const fetchNatRules = async () => {
-    setNatLoading(true);
-    setNatError(null);
-    try {
-      const response = await routingAPI.getNatRules();
-      setNatRules(response.data.nat_rules || []);
-    } catch (error) {
-      setNatError('Failed to load NAT rules');
-    } finally {
-      setNatLoading(false);
-    }
-  };
-
-  const fetchPeerRoutes = async () => {
-    setPeersLoading(true);
-    setPeersError(null);
-    try {
-      const response = await routingAPI.getPeerRoutes();
-      setPeerRoutes(response.data.peer_routes || []);
-    } catch (error) {
-      setPeersError('Failed to load peer routes');
-    } finally {
-      setPeersLoading(false);
-    }
-  };
-
-  const fetchFirewallRules = async () => {
-    setFwLoading(true);
-    setFwError(null);
-    try {
-      const response = await routingAPI.getFirewallRules();
-      setFirewallRules(response.data.firewall_rules || []);
-    } catch (error) {
-      setFwError('Failed to load firewall rules');
-    } finally {
-      setFwLoading(false);
-    }
-  };
-
-  const fetchNetworkStatus = async () => {
-    setNetworkLoading(true);
-    setNetworkError(null);
-    try {
-      const response = await fetch('/api/routing/status');
-      if (response.ok) {
-        const data = await response.json();
-        setNetworkStatus(data);
-      } else {
-        throw new Error('Failed to fetch network status');
-      }
-    } catch (error) {
-      console.error('Failed to fetch network status:', error);
-      setNetworkError('Failed to fetch network status');
-    } finally {
-      setNetworkLoading(false);
-    }
-  };
-
-  const setupNetworkConfiguration = async () => {
-    setIsSettingUp(true);
-    setNetworkError(null);
-    try {
-      const response = await fetch('/api/routing/setup', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-      });
-      
-      if (response.ok) {
-        const data = await response.json();
-        console.log('Network setup successful:', data);
-        // Refresh network status
-        await fetchNetworkStatus();
-      } else {
-        const errorData = await response.json();
-        throw new Error(errorData.error || 'Failed to setup network configuration');
-      }
-    } catch (error) {
-      console.error('Failed to setup network configuration:', error);
-      setNetworkError(error.message);
-    } finally {
-      setIsSettingUp(false);
-    }
-  };
-
-  const handleNatInputChange = (e) => {
-    const { name, value, type, checked } = e.target;
-    setNewNat((prev) => ({
-      ...prev,
-      [name]: type === 'checkbox' ? checked : value,
-    }));
-  };
-
-  const handleAddNatRule = async (e) => {
-    e.preventDefault();
-    setNatSubmitting(true);
-    setNatError(null);
-    try {
-      await routingAPI.addNatRule(newNat);
-      setShowNatForm(false);
-      setNewNat({ source_network: '', target_interface: '', masquerade: true, nat_type: 'MASQUERADE', protocol: 'ALL', external_port: '', internal_ip: '', internal_port: '' });
-      fetchNatRules();
-      fetchRoutingStatus();
-    } catch (error) {
-      setNatError('Failed to add NAT rule');
-    } finally {
-      setNatSubmitting(false);
-    }
-  };
-
-  const handleDeleteNatRule = async (ruleId) => {
-    if (!window.confirm('Delete this NAT rule?')) return;
-    setNatLoading(true);
-    setNatError(null);
-    try {
-      await routingAPI.deleteNatRule(ruleId);
-      fetchNatRules();
-      fetchRoutingStatus();
-    } catch (error) {
-      setNatError('Failed to delete NAT rule');
-    } finally {
-      setNatLoading(false);
-    }
-  };
-
-  const handlePeerInputChange = (e) => {
-    const { name, value } = e.target;
-    setNewPeerRoute((prev) => ({ ...prev, [name]: value }));
-  };
-
-  const handleAddPeerRoute = async (e) => {
-    e.preventDefault();
-    setPeerSubmitting(true);
-    setPeersError(null);
-    try {
-      // allowed_networks: comma-separated string to array
-      const payload = {
-        ...newPeerRoute,
-        allowed_networks: newPeerRoute.allowed_networks.split(',').map((s) => s.trim()).filter(Boolean),
-      };
-      await routingAPI.addPeerRoute(payload);
-      setShowPeerForm(false);
-      setNewPeerRoute({ peer_name: '', peer_ip: '', allowed_networks: '', route_type: 'lan' });
-      fetchPeerRoutes();
-      fetchRoutingStatus();
-    } catch (error) {
-      setPeersError('Failed to add peer route');
-    } finally {
-      setPeerSubmitting(false);
-    }
-  };
-
-  const handleDeletePeerRoute = async (peerName) => {
-    if (!window.confirm('Delete this peer route?')) return;
-    setPeersLoading(true);
-    setPeersError(null);
-    try {
-      await routingAPI.deletePeerRoute(peerName);
-      fetchPeerRoutes();
-      fetchRoutingStatus();
-    } catch (error) {
-      setPeersError('Failed to delete peer route');
-    } finally {
-      setPeersLoading(false);
-    }
-  };
-
-  const handleFwInputChange = (e) => {
-    const { name, value } = e.target;
-    setNewFwRule((prev) => ({ ...prev, [name]: value }));
-  };
-
-  const handleAddFwRule = async (e) => {
-    e.preventDefault();
-    setFwSubmitting(true);
-    setFwError(null);
-    try {
-      const payload = { ...newFwRule };
-      if (!payload.port) delete payload.port;
-      await routingAPI.addFirewallRule(payload);
-      setShowFwForm(false);
-      setNewFwRule({ rule_type: 'INPUT', source: '', destination: '', action: 'ACCEPT', protocol: 'ALL', port_range: '' });
-      fetchFirewallRules();
-      fetchRoutingStatus();
-    } catch (error) {
-      setFwError('Failed to add firewall rule');
-    } finally {
-      setFwSubmitting(false);
-    }
-  };
-
-  const handleDeleteFwRule = async (ruleId) => {
-    if (!window.confirm('Delete this firewall rule?')) return;
-    setFwLoading(true);
-    setFwError(null);
-    try {
-      await routingAPI.deleteFirewallRule(ruleId);
-      fetchFirewallRules();
-      fetchRoutingStatus();
-    } catch (error) {
-      setFwError('Failed to delete firewall rule');
-    } finally {
-      setFwLoading(false);
-    }
-  };
-
-  if (isLoading) {
-    return (
-      <div className="flex items-center justify-center h-64">
-        <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-primary-600"></div>
-      </div>
-    );
-  }
-
-  const tabs = [
-    { id: 'overview', name: 'Overview', icon: Activity },
-    { id: 'network', name: 'Network Config', icon: Wifi },
-    { id: 'nat', name: 'NAT Rules', icon: Shield },
-    { id: 'peers', name: 'Peer Routes', icon: Wifi },
-    { id: 'firewall', name: 'Firewall', icon: Settings },
-  ];
-
-  return (
-    <div>
-      <div className="mb-8">
-        <h1 className="text-2xl font-bold text-gray-900">Routing & Gateway</h1>
-        <p className="mt-2 text-gray-600">
-          Manage VPN gateway, NAT rules, and routing configuration
-        </p>
-      </div>
-
-      {/* Status Overview */}
-      {routingStatus && (
-        <div className="mb-8">
-          <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
-            <div className="card">
-              <div className="flex items-center">
-                <Shield className="h-8 w-8 text-primary-500" />
-                <div className="ml-4">
-                  <p className="text-sm font-medium text-gray-500">NAT Rules</p>
-                  <p className="text-lg font-semibold text-gray-900">
-                    {routingStatus.nat_rules_count || 0}
-                  </p>
-                </div>
-              </div>
-            </div>
-            
-            <div className="card">
-              <div className="flex items-center">
-                <Wifi className="h-8 w-8 text-primary-500" />
-                <div className="ml-4">
-                  <p className="text-sm font-medium text-gray-500">Peer Routes</p>
-                  <p className="text-lg font-semibold text-gray-900">
-                    {routingStatus.peer_routes_count || 0}
-                  </p>
-                </div>
-              </div>
-            </div>
-            
-            <div className="card">
-              <div className="flex items-center">
-                <Settings className="h-8 w-8 text-primary-500" />
-                <div className="ml-4">
-                  <p className="text-sm font-medium text-gray-500">Firewall Rules</p>
-                  <p className="text-lg font-semibold text-gray-900">
-                    {routingStatus.firewall_rules_count || 0}
-                  </p>
-                </div>
-              </div>
-            </div>
-            
-            <div className="card">
-              <div className="flex items-center">
-                <Activity className="h-8 w-8 text-primary-500" />
-                <div className="ml-4">
-                  <p className="text-sm font-medium text-gray-500">Exit Nodes</p>
-                  <p className="text-lg font-semibold text-gray-900">
-                    {routingStatus.exit_nodes_count || 0}
-                  </p>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-      )}
-
-      {/* Tabs */}
-      <div className="mb-6">
-        <nav className="flex space-x-8">
-          {tabs.map((tab) => (
-            <button
-              key={tab.id}
-              onClick={() => setActiveTab(tab.id)}
-              className={`flex items-center px-1 py-2 border-b-2 font-medium text-sm ${
-                activeTab === tab.id
-                  ? 'border-primary-500 text-primary-600'
-                  : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
-              }`}
-            >
-              <tab.icon className="h-4 w-4 mr-2" />
-              {tab.name}
-            </button>
-          ))}
-        </nav>
-      </div>
-
-      {/* Tab Content */}
-      <div className="card">
-        {activeTab === 'overview' && (
-          <div>
-            <h3 className="text-lg font-medium text-gray-900 mb-4">Routing Overview</h3>
-            {routingStatus?.routing_table && routingStatus.routing_table.length > 0 ? (
-              <div className="space-y-2">
-                {routingStatus.routing_table.map((route, index) => (
-                  <div key={index} className="flex items-center justify-between p-3 bg-gray-50 rounded-lg">
-                    <div className="flex items-center">
-                      <Wifi className="h-4 w-4 text-primary-500 mr-2" />
-                      <span className="text-sm font-medium text-gray-900">
-                        {route.route}
-                      </span>
-                    </div>
-                    <div className="text-xs text-gray-500">
-                      {route.parsed?.via && `via ${route.parsed.via}`}
-                    </div>
-                  </div>
-                ))}
-              </div>
-            ) : (
-              <p className="text-gray-500">No routing table entries available.</p>
-            )}
-          </div>
-        )}
-
-        {activeTab === 'network' && (
-          <div>
-            <div className="flex justify-between items-center mb-4">
-              <h3 className="text-lg font-medium text-gray-900">Network Configuration</h3>
-              <button 
-                className="btn btn-primary flex items-center" 
-                onClick={setupNetworkConfiguration}
-                disabled={isSettingUp}
-              >
-                {isSettingUp ? (
-                  <div className="animate-spin rounded-full h-4 w-4 border-b-2 border-white mr-2"></div>
-                ) : (
-                  <Settings className="h-4 w-4 mr-2" />
-                )}
-                {isSettingUp ? 'Setting up...' : 'Setup Network'}
-              </button>
-            </div>
-
-            {networkLoading ? (
-              <div className="flex justify-center items-center py-8">
-                <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-primary-600"></div>
-              </div>
-            ) : networkStatus ? (
-              <div className="space-y-4">
-                {/* Status cards */}
-                <div className="grid grid-cols-2 lg:grid-cols-4 gap-4">
-                  {[
-                    { label: 'Routing', value: networkStatus.status === 'online' ? 'Online' : 'Offline', ok: networkStatus.running },
-                    { label: 'NAT Rules', value: networkStatus.nat_rules_count ?? 0, ok: true },
-                    { label: 'Firewall Rules', value: networkStatus.firewall_rules_count ?? 0, ok: true },
-                    { label: 'Peer Routes', value: networkStatus.peer_routes_count ?? 0, ok: true },
-                  ].map(item => (
-                    <div key={item.label} className="bg-white p-4 rounded-lg border border-gray-200">
-                      <p className="text-xs text-gray-500">{item.label}</p>
-                      <p className={`text-lg font-semibold mt-1 ${item.ok ? 'text-gray-900' : 'text-red-600'}`}>{item.value}</p>
-                    </div>
-                  ))}
-                </div>
-
-                {/* Routing table */}
-                {networkStatus.routing_status?.routing_table?.length > 0 && (
-                  <div className="bg-gray-50 rounded-lg p-4">
-                    <h4 className="text-sm font-medium text-gray-700 mb-2">Active Routes</h4>
-                    <div className="space-y-1 font-mono text-xs text-gray-600">
-                      {networkStatus.routing_status.routing_table.map((r, i) => (
-                        <div key={i} className="flex gap-4">
-                          <span className="text-gray-900 w-40 truncate">{r.parsed?.destination || r.route}</span>
-                          <span className="text-gray-500">via {r.parsed?.dev || '—'}</span>
-                          {r.parsed?.via && <span className="text-gray-400">{r.parsed.via}</span>}
-                        </div>
-                      ))}
-                    </div>
-                  </div>
-                )}
-
-                <div className="flex gap-2">
-                  <button className="btn btn-secondary text-sm" onClick={fetchNetworkStatus}>Refresh</button>
-                </div>
-              </div>
-            ) : (
-              <div className="text-center py-8">
-                <p className="text-gray-500">Could not load network status</p>
-                <button className="btn btn-primary mt-2" onClick={fetchNetworkStatus}>Retry</button>
-              </div>
-            )}
-          </div>
-        )}
-
-        {activeTab === 'nat' && (
-          <div>
-            <div className="flex justify-between items-center mb-4">
-              <h3 className="text-lg font-medium text-gray-900">NAT Rules</h3>
-              <button className="btn btn-primary flex items-center" onClick={() => setShowNatForm((v) => !v)}>
-                <Plus className="h-4 w-4 mr-2" />
-                {showNatForm ? 'Cancel' : 'Add NAT Rule'}
-              </button>
-            </div>
-            {showNatForm && (
-              <form className="mb-4 p-4 bg-gray-50 rounded-lg" onSubmit={handleAddNatRule}>
-                <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-                  <input
-                    type="text"
-                    name="source_network"
-                    placeholder="Source Network (e.g. 192.168.1.0/24)"
-                    className="input"
-                    value={newNat.source_network}
-                    onChange={handleNatInputChange}
-                    required
-                  />
-                  <input
-                    type="text"
-                    name="target_interface"
-                    placeholder="Target Interface (e.g. eth0)"
-                    className="input"
-                    value={newNat.target_interface}
-                    onChange={handleNatInputChange}
-                    required
-                  />
-                  <label className="flex items-center space-x-2">
-                    <input
-                      type="checkbox"
-                      name="masquerade"
-                      checked={newNat.masquerade}
-                      onChange={handleNatInputChange}
-                    />
-                    <span>Masquerade</span>
-                  </label>
-                </div>
-                <div className="grid grid-cols-1 md:grid-cols-4 gap-4 mt-4">
-                  <select
-                    name="nat_type"
-                    className="input"
-                    value={newNat.nat_type}
-                    onChange={handleNatInputChange}
-                  >
-                    <option value="MASQUERADE">MASQUERADE</option>
-                    <option value="SNAT">SNAT</option>
-                    <option value="DNAT">DNAT (Port Forward)</option>
-                  </select>
-                  <select
-                    name="protocol"
-                    className="input"
-                    value={newNat.protocol}
-                    onChange={handleNatInputChange}
-                  >
-                    <option value="ALL">ALL</option>
-                    <option value="TCP">TCP</option>
-                    <option value="UDP">UDP</option>
-                  </select>
-                  <input
-                    type="text"
-                    name="external_port"
-                    placeholder="External Port (for DNAT)"
-                    className="input"
-                    value={newNat.external_port}
-                    onChange={handleNatInputChange}
-                  />
-                  <input
-                    type="text"
-                    name="internal_ip"
-                    placeholder="Internal IP (for DNAT)"
-                    className="input"
-                    value={newNat.internal_ip}
-                    onChange={handleNatInputChange}
-                  />
-                  <input
-                    type="text"
-                    name="internal_port"
-                    placeholder="Internal Port (for DNAT)"
-                    className="input"
-                    value={newNat.internal_port}
-                    onChange={handleNatInputChange}
-                  />
-                </div>
-                <div className="text-xs text-gray-500 mt-2">
-                  <span>Advanced: Use DNAT for port forwarding, specify protocol/ports as needed.</span>
-                </div>
-                <div className="mt-4 flex justify-end">
-                  <button type="submit" className="btn btn-primary" disabled={natSubmitting}>
-                    {natSubmitting ? 'Adding...' : 'Add Rule'}
-                  </button>
-                </div>
-                {natError && <p className="text-red-500 mt-2">{natError}</p>}
-              </form>
-            )}
-            {natLoading ? (
-              <div className="py-8 text-center text-gray-500">Loading NAT rules...</div>
-            ) : natError ? (
-              <div className="py-8 text-center text-red-500">{natError}</div>
-            ) : natRules.length === 0 ? (
-              <div className="py-8 text-center text-gray-500">No NAT rules configured.</div>
-            ) : (
-              <table className="min-w-full bg-white rounded-lg overflow-hidden">
-                <thead>
-                  <tr>
-                    <th className="px-4 py-2 text-left">Source Network</th>
-                    <th className="px-4 py-2 text-left">Target Interface</th>
-                    <th className="px-4 py-2 text-left">Masquerade</th>
-                    <th className="px-4 py-2 text-left">Type</th>
-                    <th className="px-4 py-2 text-left">Protocol</th>
-                    <th className="px-4 py-2 text-left">Ext Port</th>
-                    <th className="px-4 py-2 text-left">Int IP</th>
-                    <th className="px-4 py-2 text-left">Int Port</th>
-                    <th className="px-4 py-2"></th>
-                  </tr>
-                </thead>
-                <tbody>
-                  {natRules.map((rule, idx) => (
-                    <tr key={rule.id || idx} className="border-t">
-                      <td className="px-4 py-2">{rule.source_network}</td>
-                      <td className="px-4 py-2">{rule.target_interface}</td>
-                      <td className="px-4 py-2">{rule.masquerade ? 'Yes' : 'No'}</td>
-                      <td className="px-4 py-2">{rule.nat_type || 'MASQUERADE'}</td>
-                      <td className="px-4 py-2">{rule.protocol || 'ALL'}</td>
-                      <td className="px-4 py-2">{rule.external_port || '-'}</td>
-                      <td className="px-4 py-2">{rule.internal_ip || '-'}</td>
-                      <td className="px-4 py-2">{rule.internal_port || '-'}</td>
-                      <td className="px-4 py-2 text-right">
-                        <button
-                          className="btn btn-danger btn-sm flex items-center"
-                          onClick={() => handleDeleteNatRule(rule.id || idx)}
-                        >
-                          <Trash2 className="h-4 w-4 mr-1" /> Delete
-                        </button>
-                      </td>
-                    </tr>
-                  ))}
-                </tbody>
-              </table>
-            )}
-          </div>
-        )}
-
-        {activeTab === 'peers' && (
-          <div>
-            <div className="flex justify-between items-center mb-4">
-              <h3 className="text-lg font-medium text-gray-900">Peer Routes</h3>
-              <button className="btn btn-primary flex items-center" onClick={() => setShowPeerForm((v) => !v)}>
-                <Plus className="h-4 w-4 mr-2" />
-                {showPeerForm ? 'Cancel' : 'Add Peer Route'}
-              </button>
-            </div>
-            {showPeerForm && (
-              <form className="mb-4 p-4 bg-gray-50 rounded-lg" onSubmit={handleAddPeerRoute}>
-                <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
-                  <input
-                    type="text"
-                    name="peer_name"
-                    placeholder="Peer Name"
-                    className="input"
-                    value={newPeerRoute.peer_name}
-                    onChange={handlePeerInputChange}
-                    required
-                  />
-                  <input
-                    type="text"
-                    name="peer_ip"
-                    placeholder="Peer IP (e.g. 10.0.0.2)"
-                    className="input"
-                    value={newPeerRoute.peer_ip}
-                    onChange={handlePeerInputChange}
-                    required
-                  />
-                  <input
-                    type="text"
-                    name="allowed_networks"
-                    placeholder="Allowed Networks (comma-separated)"
-                    className="input"
-                    value={newPeerRoute.allowed_networks}
-                    onChange={handlePeerInputChange}
-                  />
-                  <select
-                    name="route_type"
-                    className="input"
-                    value={newPeerRoute.route_type}
-                    onChange={handlePeerInputChange}
-                  >
-                    <option value="lan">LAN</option>
-                    <option value="exit">Exit</option>
-                    <option value="bridge">Bridge</option>
-                    <option value="split">Split</option>
-                  </select>
-                </div>
-                <div className="mt-4 flex justify-end">
-                  <button type="submit" className="btn btn-primary" disabled={peerSubmitting}>
-                    {peerSubmitting ? 'Adding...' : 'Add Route'}
-                  </button>
-                </div>
-                {peersError && <p className="text-red-500 mt-2">{peersError}</p>}
-              </form>
-            )}
-            {peersLoading ? (
-              <div className="py-8 text-center text-gray-500">Loading peer routes...</div>
-            ) : peersError ? (
-              <div className="py-8 text-center text-red-500">{peersError}</div>
-            ) : peerRoutes.length === 0 ? (
-              <div className="py-8 text-center text-gray-500">No peer routes configured.</div>
-            ) : (
-              <table className="min-w-full bg-white rounded-lg overflow-hidden">
-                <thead>
-                  <tr>
-                    <th className="px-4 py-2 text-left">Peer Name</th>
-                    <th className="px-4 py-2 text-left">Peer IP</th>
-                    <th className="px-4 py-2 text-left">Allowed Networks</th>
-                    <th className="px-4 py-2 text-left">Route Type</th>
-                    <th className="px-4 py-2"></th>
-                  </tr>
-                </thead>
-                <tbody>
-                  {peerRoutes.map((route, idx) => (
-                    <tr key={route.peer_name || idx} className="border-t">
-                      <td className="px-4 py-2">{route.peer_name}</td>
-                      <td className="px-4 py-2">{route.peer_ip}</td>
-                      <td className="px-4 py-2">{Array.isArray(route.allowed_networks) ? route.allowed_networks.join(', ') : route.allowed_networks}</td>
-                      <td className="px-4 py-2">{route.route_type}</td>
-                      <td className="px-4 py-2 text-right">
-                        <button
-                          className="btn btn-danger btn-sm flex items-center"
-                          onClick={() => handleDeletePeerRoute(route.peer_name)}
-                        >
-                          <Trash2 className="h-4 w-4 mr-1" /> Delete
-                        </button>
-                      </td>
-                    </tr>
-                  ))}
-                </tbody>
-              </table>
-            )}
-          </div>
-        )}
-
-        {activeTab === 'firewall' && (
-          <div>
-            <div className="flex justify-between items-center mb-4">
-              <h3 className="text-lg font-medium text-gray-900">Firewall Rules</h3>
-              <button className="btn btn-primary flex items-center" onClick={() => setShowFwForm((v) => !v)}>
-                <Plus className="h-4 w-4 mr-2" />
-                {showFwForm ? 'Cancel' : 'Add Firewall Rule'}
-              </button>
-            </div>
-            {showFwForm && (
-              <form className="mb-4 p-4 bg-gray-50 rounded-lg" onSubmit={handleAddFwRule}>
-                <div className="grid grid-cols-1 md:grid-cols-6 gap-4">
-                  <select
-                    name="rule_type"
-                    className="input"
-                    value={newFwRule.rule_type}
-                    onChange={handleFwInputChange}
-                  >
-                    <option value="INPUT">INPUT</option>
-                    <option value="OUTPUT">OUTPUT</option>
-                    <option value="FORWARD">FORWARD</option>
-                  </select>
-                  <input
-                    type="text"
-                    name="source"
-                    placeholder="Source (e.g. 192.168.1.0/24)"
-                    className="input"
-                    value={newFwRule.source}
-                    onChange={handleFwInputChange}
-                    required
-                  />
-                  <input
-                    type="text"
-                    name="destination"
-                    placeholder="Destination (e.g. 0.0.0.0/0)"
-                    className="input"
-                    value={newFwRule.destination}
-                    onChange={handleFwInputChange}
-                    required
-                  />
-                  <select
-                    name="protocol"
-                    className="input"
-                    value={newFwRule.protocol}
-                    onChange={handleFwInputChange}
-                  >
-                    <option value="ALL">ALL</option>
-                    <option value="TCP">TCP</option>
-                    <option value="UDP">UDP</option>
-                    <option value="ICMP">ICMP</option>
-                  </select>
-                  <input
-                    type="text"
-                    name="port_range"
-                    placeholder="Port or Range (e.g. 80 or 1000-2000)"
-                    className="input"
-                    value={newFwRule.port_range}
-                    onChange={handleFwInputChange}
-                  />
-                  <select
-                    name="action"
-                    className="input"
-                    value={newFwRule.action}
-                    onChange={handleFwInputChange}
-                  >
-                    <option value="ACCEPT">ACCEPT</option>
-                    <option value="DROP">DROP</option>
-                    <option value="REJECT">REJECT</option>
-                  </select>
-                </div>
-                <div className="text-xs text-gray-500 mt-2">
-                  <span>Advanced: Specify protocol and port/range for granular matching.</span>
-                </div>
-                <div className="mt-4 flex justify-end">
-                  <button type="submit" className="btn btn-primary" disabled={fwSubmitting}>
-                    {fwSubmitting ? 'Adding...' : 'Add Rule'}
-                  </button>
-                </div>
-                {fwError && <p className="text-red-500 mt-2">{fwError}</p>}
-              </form>
-            )}
-            {fwLoading ? (
-              <div className="py-8 text-center text-gray-500">Loading firewall rules...</div>
-            ) : fwError ? (
-              <div className="py-8 text-center text-red-500">{fwError}</div>
-            ) : firewallRules.length === 0 ? (
-              <div className="py-8 text-center text-gray-500">No firewall rules configured.</div>
-            ) : (
-              <table className="min-w-full bg-white rounded-lg overflow-hidden">
-                <thead>
-                  <tr>
-                    <th className="px-4 py-2 text-left">Rule Type</th>
-                    <th className="px-4 py-2 text-left">Source</th>
-                    <th className="px-4 py-2 text-left">Destination</th>
-                    <th className="px-4 py-2 text-left">Protocol</th>
-                    <th className="px-4 py-2 text-left">Port/Range</th>
-                    <th className="px-4 py-2 text-left">Action</th>
-                    <th className="px-4 py-2"></th>
-                  </tr>
-                </thead>
-                <tbody>
-                  {firewallRules.map((rule, idx) => (
-                    <tr key={rule.id || idx} className="border-t">
-                      <td className="px-4 py-2">{rule.rule_type}</td>
-                      <td className="px-4 py-2">{rule.source}</td>
-                      <td className="px-4 py-2">{rule.destination}</td>
-                      <td className="px-4 py-2">{rule.protocol || 'ALL'}</td>
-                      <td className="px-4 py-2">{rule.port_range || '-'}</td>
-                      <td className="px-4 py-2">{rule.action}</td>
-                      <td className="px-4 py-2 text-right">
-                        <button
-                          className="btn btn-danger btn-sm flex items-center"
-                          onClick={() => handleDeleteFwRule(rule.id || idx)}
-                        >
-                          <Trash2 className="h-4 w-4 mr-1" /> Delete
-                        </button>
-                      </td>
-                    </tr>
-                  ))}
-                </tbody>
-              </table>
-            )}
-          </div>
-        )}
-      </div>
-    </div>
-  );
-}
-
-export default Routing; 
\ No newline at end of file
+import { useState, useEffect } from 'react';
+import { Plus, Trash2, Wifi, Shield, Activity, Settings, Terminal, ArrowRightLeft, RefreshCw } from 'lucide-react';
+import { routingAPI } from '../services/api';
+
+const EMPTY_NAT = { source_network: '', target_interface: 'eth0', masquerade: true, nat_type: 'MASQUERADE', protocol: 'ALL', external_port: '', internal_ip: '', internal_port: '' };
+const EMPTY_PF  = { name: '', protocol: 'TCP', external_port: '', internal_ip: '', internal_port: '' };
+const EMPTY_PEER = { peer_name: '', peer_ip: '', allowed_networks: '', route_type: 'lan' };
+const EMPTY_FW  = { rule_type: 'FORWARD', source: '', destination: '', action: 'ACCEPT', protocol: 'ALL', port_range: '' };
+
+function Badge({ ok, children }) {
+  return (
+    <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${ok ? 'bg-green-100 text-green-700' : 'bg-red-100 text-red-700'}`}>
+      {children}
+    </span>
+  );
+}
+
+function SectionHeader({ title, action }) {
+  return (
+    <div className="flex justify-between items-center mb-4">
+      <h3 className="text-lg font-medium text-gray-900">{title}</h3>
+      {action}
+    </div>
+  );
+}
+
+function EmptyRow({ cols, message }) {
+  return (
+    <tr>
+      <td colSpan={cols} className="px-4 py-8 text-center text-gray-400 text-sm">{message}</td>
+    </tr>
+  );
+}
+
+function Routing() {
+  const [activeTab, setActiveTab] = useState('overview');
+  const [routingStatus, setRoutingStatus] = useState(null);
+  const [statusLoading, setStatusLoading] = useState(true);
+
+  // NAT
+  const [natRules, setNatRules]       = useState([]);
+  const [natLoading, setNatLoading]   = useState(false);
+  const [showNatForm, setShowNatForm] = useState(false);
+  const [newNat, setNewNat]           = useState(EMPTY_NAT);
+  const [natError, setNatError]       = useState(null);
+
+  // Port Forwarding (DNAT subset)
+  const [pfRules, setPfRules]       = useState([]);
+  const [showPfForm, setShowPfForm] = useState(false);
+  const [newPf, setNewPf]           = useState(EMPTY_PF);
+  const [pfError, setPfError]       = useState(null);
+  const [pfSubmitting, setPfSubmitting] = useState(false);
+
+  // Peer Routes
+  const [peerRoutes, setPeerRoutes]       = useState([]);
+  const [peersLoading, setPeersLoading]   = useState(false);
+  const [showPeerForm, setShowPeerForm]   = useState(false);
+  const [newPeerRoute, setNewPeerRoute]   = useState(EMPTY_PEER);
+  const [peersError, setPeersError]       = useState(null);
+
+  // Firewall
+  const [firewallRules, setFirewallRules] = useState([]);
+  const [fwLoading, setFwLoading]         = useState(false);
+  const [showFwForm, setShowFwForm]       = useState(false);
+  const [newFwRule, setNewFwRule]         = useState(EMPTY_FW);
+  const [fwError, setFwError]             = useState(null);
+
+  // Live iptables
+  const [liveIptables, setLiveIptables]   = useState(null);
+  const [iptLoading, setIptLoading]       = useState(false);
+
+  // Diagnostics
+  const [diagTarget, setDiagTarget]       = useState('');
+  const [diagResult, setDiagResult]       = useState(null);
+  const [diagRunning, setDiagRunning]     = useState(false);
+
+  useEffect(() => {
+    fetchStatus();
+    fetchNatRules();
+    fetchPeerRoutes();
+    fetchFirewallRules();
+  }, []);
+
+  // ── Fetch helpers ──────────────────────────────────────────────────────────
+
+  const fetchStatus = async () => {
+    try {
+      const r = await routingAPI.getStatus();
+      setRoutingStatus(r.data);
+    } catch {}
+    finally { setStatusLoading(false); }
+  };
+
+  const fetchNatRules = async () => {
+    setNatLoading(true);
+    try {
+      const r = await routingAPI.getNatRules();
+      const all = r.data.nat_rules || [];
+      setNatRules(all.filter(x => x.nat_type !== 'DNAT'));
+      setPfRules(all.filter(x => x.nat_type === 'DNAT'));
+    } catch { setNatError('Failed to load NAT rules'); }
+    finally { setNatLoading(false); }
+  };
+
+  const fetchPeerRoutes = async () => {
+    setPeersLoading(true);
+    try { const r = await routingAPI.getPeerRoutes(); setPeerRoutes(r.data.peer_routes || []); }
+    catch { setPeersError('Failed to load peer routes'); }
+    finally { setPeersLoading(false); }
+  };
+
+  const fetchFirewallRules = async () => {
+    setFwLoading(true);
+    try { const r = await routingAPI.getFirewallRules(); setFirewallRules(r.data.firewall_rules || []); }
+    catch { setFwError('Failed to load firewall rules'); }
+    finally { setFwLoading(false); }
+  };
+
+  const fetchLiveIptables = async () => {
+    setIptLoading(true);
+    try { const r = await routingAPI.getLiveIptables(); setLiveIptables(r.data); }
+    catch { setLiveIptables({ error: 'Failed to load' }); }
+    finally { setIptLoading(false); }
+  };
+
+  // ── NAT handlers ──────────────────────────────────────────────────────────
+
+  const handleAddNat = async (e) => {
+    e.preventDefault();
+    setNatError(null);
+    try {
+      await routingAPI.addNatRule(newNat);
+      setShowNatForm(false); setNewNat(EMPTY_NAT);
+      fetchNatRules(); fetchStatus();
+    } catch { setNatError('Failed to add NAT rule'); }
+  };
+
+  const handleDeleteNat = async (id) => {
+    if (!window.confirm('Delete this NAT rule?')) return;
+    try { await routingAPI.deleteNatRule(id); fetchNatRules(); fetchStatus(); }
+    catch { setNatError('Failed to delete NAT rule'); }
+  };
+
+  // ── Port Forwarding handlers ───────────────────────────────────────────────
+
+  const handleAddPf = async (e) => {
+    e.preventDefault();
+    setPfError(null); setPfSubmitting(true);
+    try {
+      await routingAPI.addNatRule({
+        source_network: '0.0.0.0/0',
+        target_interface: 'eth0',
+        masquerade: false,
+        nat_type: 'DNAT',
+        protocol: newPf.protocol,
+        external_port: newPf.external_port,
+        internal_ip: newPf.internal_ip,
+        internal_port: newPf.internal_port,
+      });
+      setShowPfForm(false); setNewPf(EMPTY_PF);
+      fetchNatRules();
+    } catch { setPfError('Failed to add port forwarding rule'); }
+    finally { setPfSubmitting(false); }
+  };
+
+  const handleDeletePf = async (id) => {
+    if (!window.confirm('Delete this port forwarding rule?')) return;
+    try { await routingAPI.deleteNatRule(id); fetchNatRules(); }
+    catch { setPfError('Failed to delete rule'); }
+  };
+
+  // ── Peer Route handlers ───────────────────────────────────────────────────
+
+  const handleAddPeer = async (e) => {
+    e.preventDefault();
+    setPeersError(null);
+    try {
+      await routingAPI.addPeerRoute({
+        ...newPeerRoute,
+        allowed_networks: newPeerRoute.allowed_networks.split(',').map(s => s.trim()).filter(Boolean),
+      });
+      setShowPeerForm(false); setNewPeerRoute(EMPTY_PEER);
+      fetchPeerRoutes(); fetchStatus();
+    } catch { setPeersError('Failed to add peer route'); }
+  };
+
+  const handleDeletePeer = async (name) => {
+    if (!window.confirm('Delete this peer route?')) return;
+    try { await routingAPI.deletePeerRoute(name); fetchPeerRoutes(); fetchStatus(); }
+    catch { setPeersError('Failed to delete peer route'); }
+  };
+
+  // ── Firewall handlers ─────────────────────────────────────────────────────
+
+  const handleAddFw = async (e) => {
+    e.preventDefault();
+    setFwError(null);
+    try {
+      await routingAPI.addFirewallRule(newFwRule);
+      setShowFwForm(false); setNewFwRule(EMPTY_FW);
+      fetchFirewallRules(); fetchStatus();
+    } catch { setFwError('Failed to add firewall rule'); }
+  };
+
+  const handleDeleteFw = async (id) => {
+    if (!window.confirm('Delete this firewall rule?')) return;
+    try { await routingAPI.deleteFirewallRule(id); fetchFirewallRules(); fetchStatus(); }
+    catch { setFwError('Failed to delete firewall rule'); }
+  };
+
+  // ── Diagnostics ───────────────────────────────────────────────────────────
+
+  const handleRunDiag = async (e) => {
+    e.preventDefault();
+    if (!diagTarget.trim()) return;
+    setDiagRunning(true); setDiagResult(null);
+    try {
+      const r = await routingAPI.testConnectivity({ target_ip: diagTarget.trim() });
+      setDiagResult(r.data);
+    } catch (err) {
+      setDiagResult({ error: err.message });
+    } finally { setDiagRunning(false); }
+  };
+
+  // ── Summary counts ────────────────────────────────────────────────────────
+
+  const rs = routingStatus?.routing_status || routingStatus || {};
+  const routingTable = rs.routing_table || [];
+
+  // ── Tabs ──────────────────────────────────────────────────────────────────
+
+  const tabs = [
+    { id: 'overview',    name: 'Overview',         icon: Activity },
+    { id: 'portfwd',     name: 'Port Forwarding',  icon: ArrowRightLeft },
+    { id: 'nat',         name: 'NAT Rules',        icon: Shield },
+    { id: 'peers',       name: 'Peer Routes',      icon: Wifi },
+    { id: 'firewall',    name: 'Firewall',         icon: Settings },
+    { id: 'live',        name: 'Live iptables',    icon: Terminal },
+    { id: 'diagnostics', name: 'Diagnostics',      icon: Activity },
+  ];
+
+  return (
+    <div>
+      <div className="mb-8">
+        <h1 className="text-2xl font-bold text-gray-900">Routing & Gateway</h1>
+        <p className="mt-2 text-gray-600">Manage VPN gateway, NAT, port forwarding, and firewall rules</p>
+      </div>
+
+      {/* Summary strip */}
+      {!statusLoading && (
+        <div className="grid grid-cols-2 md:grid-cols-4 gap-4 mb-8">
+          {[
+            { label: 'NAT Rules',      value: rs.nat_rules_count ?? natRules.length },
+            { label: 'Port Forwards',  value: pfRules.length },
+            { label: 'Peer Routes',    value: rs.peer_routes_count ?? peerRoutes.length },
+            { label: 'Firewall Rules', value: rs.firewall_rules_count ?? firewallRules.length },
+          ].map(({ label, value }) => (
+            <div key={label} className="card flex items-center">
+              <Shield className="h-7 w-7 text-primary-400 mr-3" />
+              <div>
+                <p className="text-xs text-gray-500">{label}</p>
+                <p className="text-xl font-semibold text-gray-900">{value}</p>
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+
+      {/* Tabs */}
+      <div className="mb-6 border-b border-gray-200">
+        <nav className="-mb-px flex space-x-6 overflow-x-auto">
+          {tabs.map(tab => (
+            <button
+              key={tab.id}
+              onClick={() => {
+                setActiveTab(tab.id);
+                if (tab.id === 'live' && !liveIptables) fetchLiveIptables();
+              }}
+              className={`flex items-center whitespace-nowrap px-1 py-3 border-b-2 font-medium text-sm ${
+                activeTab === tab.id
+                  ? 'border-primary-500 text-primary-600'
+                  : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
+              }`}
+            >
+              <tab.icon className="h-4 w-4 mr-1.5" />
+              {tab.name}
+            </button>
+          ))}
+        </nav>
+      </div>
+
+      {/* ── Overview ── */}
+      {activeTab === 'overview' && (
+        <div className="card space-y-6">
+          <SectionHeader title="System Routing Table" action={
+            <button className="btn btn-secondary text-sm flex items-center" onClick={fetchStatus}>
+              <RefreshCw className="h-4 w-4 mr-1" /> Refresh
+            </button>
+          } />
+          {statusLoading ? (
+            <div className="flex justify-center py-8"><div className="animate-spin rounded-full h-8 w-8 border-b-2 border-primary-600" /></div>
+          ) : routingTable.length > 0 ? (
+            <table className="min-w-full text-sm">
+              <thead>
+                <tr className="text-left text-gray-500 text-xs uppercase border-b">
+                  <th className="pb-2 pr-6">Destination</th>
+                  <th className="pb-2 pr-6">Gateway</th>
+                  <th className="pb-2 pr-6">Interface</th>
+                  <th className="pb-2">Flags</th>
+                </tr>
+              </thead>
+              <tbody>
+                {routingTable.map((r, i) => {
+                  const p = r.parsed || {};
+                  return (
+                    <tr key={i} className="border-b last:border-0 hover:bg-gray-50">
+                      <td className="py-2 pr-6 font-mono text-gray-900">{p.destination || r.route}</td>
+                      <td className="py-2 pr-6 font-mono text-gray-500">{p.via || '—'}</td>
+                      <td className="py-2 pr-6 text-gray-600">{p.dev || '—'}</td>
+                      <td className="py-2 text-gray-400 text-xs">{p.metric ? `metric ${p.metric}` : ''}</td>
+                    </tr>
+                  );
+                })}
+              </tbody>
+            </table>
+          ) : (
+            <p className="text-gray-400 text-sm">No routing table entries available.</p>
+          )}
+        </div>
+      )}
+
+      {/* ── Port Forwarding ── */}
+      {activeTab === 'portfwd' && (
+        <div className="card">
+          <SectionHeader title="Port Forwarding (DNAT)" action={
+            <button className="btn btn-primary flex items-center" onClick={() => setShowPfForm(v => !v)}>
+              <Plus className="h-4 w-4 mr-1" />{showPfForm ? 'Cancel' : 'Add Rule'}
+            </button>
+          } />
+          <p className="text-sm text-gray-500 mb-4">Forward inbound traffic on a public port to an internal host.</p>
+
+          {showPfForm && (
+            <form onSubmit={handleAddPf} className="mb-6 p-4 bg-gray-50 rounded-lg space-y-4">
+              <div className="grid grid-cols-2 md:grid-cols-4 gap-4">
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Protocol</label>
+                  <select className="input w-full" value={newPf.protocol} onChange={e => setNewPf(p => ({...p, protocol: e.target.value}))}>
+                    <option>TCP</option><option>UDP</option>
+                  </select>
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">External Port</label>
+                  <input className="input w-full" placeholder="e.g. 8080" value={newPf.external_port}
+                    onChange={e => setNewPf(p => ({...p, external_port: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Internal IP</label>
+                  <input className="input w-full" placeholder="e.g. 172.20.0.5" value={newPf.internal_ip}
+                    onChange={e => setNewPf(p => ({...p, internal_ip: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Internal Port</label>
+                  <input className="input w-full" placeholder="e.g. 80" value={newPf.internal_port}
+                    onChange={e => setNewPf(p => ({...p, internal_port: e.target.value}))} required />
+                </div>
+              </div>
+              {pfError && <p className="text-red-500 text-sm">{pfError}</p>}
+              <div className="flex justify-end">
+                <button type="submit" className="btn btn-primary" disabled={pfSubmitting}>
+                  {pfSubmitting ? 'Adding…' : 'Add Forward Rule'}
+                </button>
+              </div>
+            </form>
+          )}
+
+          <table className="min-w-full text-sm">
+            <thead>
+              <tr className="text-left text-gray-500 text-xs uppercase border-b">
+                <th className="pb-2 pr-4">Protocol</th>
+                <th className="pb-2 pr-4">External Port</th>
+                <th className="pb-2 pr-4">→ Internal IP</th>
+                <th className="pb-2 pr-4">Internal Port</th>
+                <th className="pb-2" />
+              </tr>
+            </thead>
+            <tbody>
+              {pfRules.length === 0 ? (
+                <EmptyRow cols={5} message="No port forwarding rules configured." />
+              ) : pfRules.map((r, i) => (
+                <tr key={r.id || i} className="border-b last:border-0 hover:bg-gray-50">
+                  <td className="py-2 pr-4">{r.protocol || 'ALL'}</td>
+                  <td className="py-2 pr-4 font-mono">{r.external_port || '—'}</td>
+                  <td className="py-2 pr-4 font-mono">{r.internal_ip || '—'}</td>
+                  <td className="py-2 pr-4 font-mono">{r.internal_port || '—'}</td>
+                  <td className="py-2 text-right">
+                    <button className="text-red-500 hover:text-red-700" onClick={() => handleDeletePf(r.id || i)}>
+                      <Trash2 className="h-4 w-4" />
+                    </button>
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      )}
+
+      {/* ── NAT Rules ── */}
+      {activeTab === 'nat' && (
+        <div className="card">
+          <SectionHeader title="NAT / Masquerade Rules" action={
+            <button className="btn btn-primary flex items-center" onClick={() => setShowNatForm(v => !v)}>
+              <Plus className="h-4 w-4 mr-1" />{showNatForm ? 'Cancel' : 'Add Rule'}
+            </button>
+          } />
+
+          {showNatForm && (
+            <form onSubmit={handleAddNat} className="mb-6 p-4 bg-gray-50 rounded-lg space-y-4">
+              <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Source Network</label>
+                  <input className="input w-full" placeholder="e.g. 10.0.0.0/24" value={newNat.source_network}
+                    onChange={e => setNewNat(p => ({...p, source_network: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Outbound Interface</label>
+                  <input className="input w-full" placeholder="e.g. eth0" value={newNat.target_interface}
+                    onChange={e => setNewNat(p => ({...p, target_interface: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Type</label>
+                  <select className="input w-full" value={newNat.nat_type}
+                    onChange={e => setNewNat(p => ({...p, nat_type: e.target.value}))}>
+                    <option value="MASQUERADE">MASQUERADE</option>
+                    <option value="SNAT">SNAT</option>
+                  </select>
+                </div>
+              </div>
+              {natError && <p className="text-red-500 text-sm">{natError}</p>}
+              <div className="flex justify-end">
+                <button type="submit" className="btn btn-primary">Add Rule</button>
+              </div>
+            </form>
+          )}
+
+          {natLoading ? <div className="py-8 text-center text-gray-400">Loading…</div> : (
+            <table className="min-w-full text-sm">
+              <thead>
+                <tr className="text-left text-gray-500 text-xs uppercase border-b">
+                  <th className="pb-2 pr-4">Source Network</th>
+                  <th className="pb-2 pr-4">Interface</th>
+                  <th className="pb-2 pr-4">Type</th>
+                  <th className="pb-2" />
+                </tr>
+              </thead>
+              <tbody>
+                {natRules.length === 0 ? (
+                  <EmptyRow cols={4} message="No NAT rules configured." />
+                ) : natRules.map((r, i) => (
+                  <tr key={r.id || i} className="border-b last:border-0 hover:bg-gray-50">
+                    <td className="py-2 pr-4 font-mono">{r.source_network}</td>
+                    <td className="py-2 pr-4">{r.target_interface}</td>
+                    <td className="py-2 pr-4"><Badge ok>{r.nat_type || 'MASQUERADE'}</Badge></td>
+                    <td className="py-2 text-right">
+                      <button className="text-red-500 hover:text-red-700" onClick={() => handleDeleteNat(r.id || i)}>
+                        <Trash2 className="h-4 w-4" />
+                      </button>
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          )}
+        </div>
+      )}
+
+      {/* ── Peer Routes ── */}
+      {activeTab === 'peers' && (
+        <div className="card">
+          <SectionHeader title="Peer Routes" action={
+            <button className="btn btn-primary flex items-center" onClick={() => setShowPeerForm(v => !v)}>
+              <Plus className="h-4 w-4 mr-1" />{showPeerForm ? 'Cancel' : 'Add Route'}
+            </button>
+          } />
+          <p className="text-sm text-gray-500 mb-4">
+            Add OS-level routes that forward traffic for a network through a specific VPN peer.
+          </p>
+
+          {showPeerForm && (
+            <form onSubmit={handleAddPeer} className="mb-6 p-4 bg-gray-50 rounded-lg space-y-4">
+              <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Peer Name</label>
+                  <input className="input w-full" placeholder="e.g. office" value={newPeerRoute.peer_name}
+                    onChange={e => setNewPeerRoute(p => ({...p, peer_name: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Peer VPN IP</label>
+                  <input className="input w-full" placeholder="e.g. 10.0.0.5" value={newPeerRoute.peer_ip}
+                    onChange={e => setNewPeerRoute(p => ({...p, peer_ip: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Networks (comma-separated)</label>
+                  <input className="input w-full" placeholder="e.g. 192.168.1.0/24" value={newPeerRoute.allowed_networks}
+                    onChange={e => setNewPeerRoute(p => ({...p, allowed_networks: e.target.value}))} />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Type</label>
+                  <select className="input w-full" value={newPeerRoute.route_type}
+                    onChange={e => setNewPeerRoute(p => ({...p, route_type: e.target.value}))}>
+                    <option value="lan">LAN</option>
+                    <option value="exit">Exit</option>
+                    <option value="split">Split</option>
+                  </select>
+                </div>
+              </div>
+              {peersError && <p className="text-red-500 text-sm">{peersError}</p>}
+              <div className="flex justify-end">
+                <button type="submit" className="btn btn-primary">Add Route</button>
+              </div>
+            </form>
+          )}
+
+          {peersLoading ? <div className="py-8 text-center text-gray-400">Loading…</div> : (
+            <table className="min-w-full text-sm">
+              <thead>
+                <tr className="text-left text-gray-500 text-xs uppercase border-b">
+                  <th className="pb-2 pr-4">Peer</th>
+                  <th className="pb-2 pr-4">VPN IP</th>
+                  <th className="pb-2 pr-4">Networks</th>
+                  <th className="pb-2 pr-4">Type</th>
+                  <th className="pb-2" />
+                </tr>
+              </thead>
+              <tbody>
+                {peerRoutes.length === 0 ? (
+                  <EmptyRow cols={5} message="No peer routes configured." />
+                ) : peerRoutes.map((r, i) => (
+                  <tr key={r.peer_name || i} className="border-b last:border-0 hover:bg-gray-50">
+                    <td className="py-2 pr-4 font-medium">{r.peer_name}</td>
+                    <td className="py-2 pr-4 font-mono">{r.peer_ip}</td>
+                    <td className="py-2 pr-4 font-mono text-xs">
+                      {Array.isArray(r.allowed_networks) ? r.allowed_networks.join(', ') : r.allowed_networks}
+                    </td>
+                    <td className="py-2 pr-4">{r.route_type}</td>
+                    <td className="py-2 text-right">
+                      <button className="text-red-500 hover:text-red-700" onClick={() => handleDeletePeer(r.peer_name)}>
+                        <Trash2 className="h-4 w-4" />
+                      </button>
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          )}
+        </div>
+      )}
+
+      {/* ── Firewall ── */}
+      {activeTab === 'firewall' && (
+        <div className="card">
+          <SectionHeader title="Custom Firewall Rules" action={
+            <button className="btn btn-primary flex items-center" onClick={() => setShowFwForm(v => !v)}>
+              <Plus className="h-4 w-4 mr-1" />{showFwForm ? 'Cancel' : 'Add Rule'}
+            </button>
+          } />
+          <p className="text-sm text-gray-500 mb-4">
+            Custom iptables rules applied on the host. Per-peer VPN access rules are managed on the <a href="/peers" className="text-primary-600 underline">Peers page</a>.
+          </p>
+
+          {showFwForm && (
+            <form onSubmit={handleAddFw} className="mb-6 p-4 bg-gray-50 rounded-lg space-y-4">
+              <div className="grid grid-cols-2 md:grid-cols-3 gap-4">
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Chain</label>
+                  <select className="input w-full" value={newFwRule.rule_type}
+                    onChange={e => setNewFwRule(p => ({...p, rule_type: e.target.value}))}>
+                    <option value="INPUT">INPUT</option>
+                    <option value="FORWARD">FORWARD</option>
+                    <option value="OUTPUT">OUTPUT</option>
+                  </select>
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Source CIDR</label>
+                  <input className="input w-full" placeholder="e.g. 10.0.0.0/8" value={newFwRule.source}
+                    onChange={e => setNewFwRule(p => ({...p, source: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Destination CIDR</label>
+                  <input className="input w-full" placeholder="e.g. 0.0.0.0/0" value={newFwRule.destination}
+                    onChange={e => setNewFwRule(p => ({...p, destination: e.target.value}))} required />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Protocol</label>
+                  <select className="input w-full" value={newFwRule.protocol}
+                    onChange={e => setNewFwRule(p => ({...p, protocol: e.target.value}))}>
+                    <option value="ALL">ALL</option>
+                    <option value="TCP">TCP</option>
+                    <option value="UDP">UDP</option>
+                    <option value="ICMP">ICMP</option>
+                  </select>
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Port / Range</label>
+                  <input className="input w-full" placeholder="e.g. 80 or 1000-2000" value={newFwRule.port_range}
+                    onChange={e => setNewFwRule(p => ({...p, port_range: e.target.value}))} />
+                </div>
+                <div>
+                  <label className="block text-xs text-gray-500 mb-1">Action</label>
+                  <select className="input w-full" value={newFwRule.action}
+                    onChange={e => setNewFwRule(p => ({...p, action: e.target.value}))}>
+                    <option value="ACCEPT">ACCEPT</option>
+                    <option value="DROP">DROP</option>
+                    <option value="REJECT">REJECT</option>
+                  </select>
+                </div>
+              </div>
+              {fwError && <p className="text-red-500 text-sm">{fwError}</p>}
+              <div className="flex justify-end">
+                <button type="submit" className="btn btn-primary">Add Rule</button>
+              </div>
+            </form>
+          )}
+
+          {fwLoading ? <div className="py-8 text-center text-gray-400">Loading…</div> : (
+            <table className="min-w-full text-sm">
+              <thead>
+                <tr className="text-left text-gray-500 text-xs uppercase border-b">
+                  <th className="pb-2 pr-4">Chain</th>
+                  <th className="pb-2 pr-4">Source</th>
+                  <th className="pb-2 pr-4">Destination</th>
+                  <th className="pb-2 pr-4">Proto</th>
+                  <th className="pb-2 pr-4">Port</th>
+                  <th className="pb-2 pr-4">Action</th>
+                  <th className="pb-2" />
+                </tr>
+              </thead>
+              <tbody>
+                {firewallRules.length === 0 ? (
+                  <EmptyRow cols={7} message="No custom firewall rules configured." />
+                ) : firewallRules.map((r, i) => (
+                  <tr key={r.id || i} className="border-b last:border-0 hover:bg-gray-50">
+                    <td className="py-2 pr-4">{r.rule_type}</td>
+                    <td className="py-2 pr-4 font-mono text-xs">{r.source}</td>
+                    <td className="py-2 pr-4 font-mono text-xs">{r.destination}</td>
+                    <td className="py-2 pr-4">{r.protocol || 'ALL'}</td>
+                    <td className="py-2 pr-4 font-mono">{r.port_range || r.port || '—'}</td>
+                    <td className="py-2 pr-4">
+                      <Badge ok={r.action === 'ACCEPT'}>{r.action}</Badge>
+                    </td>
+                    <td className="py-2 text-right">
+                      <button className="text-red-500 hover:text-red-700" onClick={() => handleDeleteFw(r.id)}>
+                        <Trash2 className="h-4 w-4" />
+                      </button>
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          )}
+        </div>
+      )}
+
+      {/* ── Live iptables ── */}
+      {activeTab === 'live' && (
+        <div className="card">
+          <SectionHeader title="Live iptables (WireGuard container)" action={
+            <button className="btn btn-secondary flex items-center" onClick={fetchLiveIptables} disabled={iptLoading}>
+              <RefreshCw className={`h-4 w-4 mr-1 ${iptLoading ? 'animate-spin' : ''}`} /> Refresh
+            </button>
+          } />
+          <p className="text-sm text-gray-500 mb-4">Read-only view of actual iptables rules running inside cell-wireguard.</p>
+
+          {iptLoading ? (
+            <div className="flex justify-center py-8"><div className="animate-spin rounded-full h-8 w-8 border-b-2 border-primary-600" /></div>
+          ) : liveIptables ? (
+            <div className="space-y-4">
+              {Object.entries(liveIptables).map(([table, text]) => (
+                <div key={table}>
+                  <h4 className="text-sm font-semibold text-gray-700 mb-1 uppercase tracking-wide">{table} table</h4>
+                  <pre className="bg-gray-900 text-green-400 text-xs p-4 rounded-lg overflow-x-auto whitespace-pre font-mono leading-5">
+                    {text || '(empty)'}
+                  </pre>
+                </div>
+              ))}
+            </div>
+          ) : (
+            <div className="text-center py-8 text-gray-400">
+              <Terminal className="h-10 w-10 mx-auto mb-2 opacity-30" />
+              <p className="text-sm">Click Refresh to load live iptables rules.</p>
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* ── Diagnostics ── */}
+      {activeTab === 'diagnostics' && (
+        <div className="card">
+          <SectionHeader title="Connectivity Test" />
+          <p className="text-sm text-gray-500 mb-6">Ping and traceroute a target from the server to verify routing.</p>
+
+          <form onSubmit={handleRunDiag} className="flex gap-3 mb-6">
+            <input
+              className="input flex-1"
+              placeholder="Target IP or hostname (e.g. 8.8.8.8)"
+              value={diagTarget}
+              onChange={e => setDiagTarget(e.target.value)}
+              required
+            />
+            <button type="submit" className="btn btn-primary flex items-center" disabled={diagRunning}>
+              {diagRunning
+                ? <><div className="animate-spin rounded-full h-4 w-4 border-b-2 border-white mr-2" />Running…</>
+                : <><Activity className="h-4 w-4 mr-1" />Run Test</>}
+            </button>
+          </form>
+
+          {diagResult && (
+            <div className="space-y-4">
+              {diagResult.error && (
+                <div className="p-4 bg-red-50 rounded-lg text-red-700 text-sm">{diagResult.error}</div>
+              )}
+              {diagResult.ping && (
+                <div>
+                  <div className="flex items-center gap-2 mb-1">
+                    <span className="text-sm font-medium text-gray-700">Ping</span>
+                    <Badge ok={diagResult.ping.success}>{diagResult.ping.success ? 'reachable' : 'unreachable'}</Badge>
+                  </div>
+                  <pre className="bg-gray-900 text-green-400 text-xs p-3 rounded-lg overflow-x-auto font-mono leading-5">
+                    {diagResult.ping.output || diagResult.ping.error || '(no output)'}
+                  </pre>
+                </div>
+              )}
+              {diagResult.traceroute && (
+                <div>
+                  <div className="flex items-center gap-2 mb-1">
+                    <span className="text-sm font-medium text-gray-700">Traceroute</span>
+                  </div>
+                  <pre className="bg-gray-900 text-green-400 text-xs p-3 rounded-lg overflow-x-auto font-mono leading-5">
+                    {diagResult.traceroute.output || diagResult.traceroute.error || '(no output)'}
+                  </pre>
+                </div>
+              )}
+            </div>
+          )}
+        </div>
+      )}
+    </div>
+  );
+}
+
+export default Routing;
diff --git a/webui/src/services/api.js b/webui/src/services/api.js
index 5648e6c..4c9fd5b 100644
--- a/webui/src/services/api.js
+++ b/webui/src/services/api.js
@@ -137,6 +137,7 @@ export const routingAPI = {
   getFirewallRules: () => api.get('/api/routing/firewall'),
   addFirewallRule: (rule) => api.post('/api/routing/firewall', rule),
   deleteFirewallRule: (ruleId) => api.delete(`/api/routing/firewall/${ruleId}`),
+  getLiveIptables: () => api.get('/api/routing/live-iptables'),
   // Other
   addExitNode: (node) => api.post('/api/routing/exit-nodes', node),
   addBridgeRoute: (route) => api.post('/api/routing/bridge', route),