this post was submitted on 23 Dec 2023

1 points (100.0% liked)

WireGuard

3 readers

1 users here now

WireGuard - a fast, modern, secure VPN Tunnel.

founded 2 years ago

MODERATORS

[email protected]

Client restrictions with iptables and UFW not applying (zerobytes.monster)

submitted 1 year ago by [email protected] to c/[email protected]

0 comments fedilink hide all child comments

This is an automated archive.

The original was posted on /r/wireguard by /u/BigSkidz on 2023-12-23 18:24:15+00:00.

I have used the following guide on applying client network restrictions with iptables in linux.

My aim is to have the following restrictions:

Client 1 (10.0.0.2) - Access everything

Client 2 (10.0.0.3) - Access only 192.168.5.3 on port 32400

Below are my postup and postdown rules which run when wireguard is up/down:

postup.sh:

WIREGUARD_INTERFACE=wg0

WIREGUARD_LAN=10.0.0.0/24

MASQUERADE_INTERFACE=eth0

iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN

# Add a WIREGUARD_wg0 chain to the FORWARD chain

CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"

iptables -N $CHAIN_NAME

iptables -A FORWARD -j $CHAIN_NAME

# Accept related or established traffic

iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept all traffic from any owen_client address connected to the Wireguard server

iptables -A $CHAIN_NAME -s 10.0.0.2 -i $WIREGUARD_INTERFACE -j ACCEPT

#Accept traffic from plex1_client address to plex-prod server on port 32400

iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.5.3 -p tcp --dport 32400 -j ACCEPT

#Drop everything else coming through the Wireguard interface

iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP

# Return to FORWARD chain

iptables -A $CHAIN_NAME -j RETURN

postdown.sh:

WIREGUARD_INTERFACE=wg0

WIREGUARD_LAN=10.0.0.0/24

MASQUERADE_INTERFACE=eth0

CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"

iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN

# Remove and delete the WIREGUARD_wg0 chain

iptables -D FORWARD -j $CHAIN_NAME

iptables -F $CHAIN_NAME

iptables -X $CHAIN_NAME

I have an issue though where with UFW enabled I can access everything on both clients. With UFW disabled the ip table restrictions work perfectly.

Below are by UFW rules:

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), deny (routed)

New profiles: skip

To Action From

-- ------ ----

51820/udp ALLOW IN Anywhere

22/tcp (OpenSSH) ALLOW IN Anywhere

Anywhere on wg0 ALLOW IN 10.0.0.2

192.168.5.3 32400 on wg0 ALLOW IN 10.0.0.3

51820/udp (v6) ALLOW IN Anywhere (v6)

22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)

Anywhere ALLOW OUT Anywhere on eth0

Anywhere (v6) ALLOW OUT Anywhere (v6) on eth0

Anywhere on eth0 ALLOW FWD Anywhere on wg0

Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on wg0

Anyone had this or know what the issue is? I know it is to do with UFW but not sure what needs changing.

Thanks for any help.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here