This is an automated archive.
The original was posted on /r/wireguard by /u/kellmann1337 on 2024-01-02 14:44:08+00:00.
Hi,
I have a wireguard intergafce wg1 where I call PostUp = /etc/wireguard/postup.sh. My postup.sh looks like this:
WIREGUARD_INTERFACE=wg1
WIREGUARD_LAN=10.0.0.0/24
MASQUERADE_INTERFACE=eth0
CHAIN_NAME=WIREGUARD_wg1
WIREGUARD_CLIENT=10.0.0.2
WIREGUARD_DNS=192.168.178.47
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
# Add a WIREGUARD_wg0 chain to the FORWARD chain
iptables -N $CHAIN_NAME
iptables -A FORWARD -j $CHAIN_NAME
# Accept related or established traffic
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow traffic to router and DNS gateway
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -d 192.168.178.1 -j ACCEPT
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -d 192.168.178.47 -j ACCEPT
# Accept outgoing connections to any IP address (public because of rule above)
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -i $WIREGUARD_INTERFACE -j ACCEPT
# Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above)
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -i $WIREGUARD_INTERFACE -d 0.0.0.0/0 -p tcp -m multiport --dports 80,443 -j ACCEPT
# Drop traffic to your any private IP address
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -i $WIREGUARD_INTERFACE -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP
# Drop everything else coming through the Wireguard interface
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
# Return to FORWARD chain
iptables -A $CHAIN_NAME -j RETURN
I would expect that the connected client is able to do web browsing, but is not allowed to access any IPs from the Network the wireguard server runs. But the opposite is happening: The client can access IPs and even use the local DNS, but is not able to access any page from the internet.
The output of iptables -L -v -n is:
Chain INPUT (policy ACCEPT 6449 packets, 1002K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 338 packets, 60782 bytes)
pkts bytes target prot opt in out source destination
2772 1683K WIREGUARD_wg1 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8419 packets, 5997K bytes)
pkts bytes target prot opt in out source destination
Chain WIREGUARD_wg1 (1 references)
pkts bytes target prot opt in out source destination
877 1535K ACCEPT 0 -- * wg1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
446 48489 ACCEPT 0 -- * * 10.0.0.2 192.168.178.1
103 6958 ACCEPT 0 -- * * 10.0.0.2 192.168.178.47
1346 92153 ACCEPT 0 -- wg1 * 10.0.0.2 0.0.0.0/0
0 0 ACCEPT 6 -- wg1 * 10.0.0.2 0.0.0.0/0 multiport dports 80,443
0 0 DROP 0 -- wg1 * 10.0.0.2 10.0.0.0/8
0 0 DROP 0 -- wg1 * 10.0.0.2 172.16.0.0/12
0 0 DROP 0 -- wg1 * 10.0.0.2 192.168.0.0/16
0 0 DROP 0 -- wg1 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
In my understanding the output shows what I would expect. But I guess I have a lack of understanding. Any hints or help you could give me to archive my goal: The client should only be allowed to access the internet and nothing else. My wg0 interface which allows everything is working fine, so its not a "bigger" networking issue.
Thanks for any help in advance :)