I'm running a Wireguard "Server" in my local network, that i reach remotely through my static public IP.
I want to be able to limit access to Wireguard remote peers to services/machines in my lan, where i host other server.
Example:
Server 1 (192.168.1.23 | 10.0.0.1) with Wireguard installed + Nextcloud + Jellyfin in same machine
Server 2 (192.168.1.62) with Photoprism
Remote peer 1 (10.0.0.2 | dynamic ip)
Remote peer 2 (10.0.0.3 | dynamic ip)
I want to:
1- Allow peer1 (10.0.0.2) to access Server 1 Nextcloud + Jellyfin and access to Server 2 to Photoprism.
2- Allow Peer2 (10.0.0.3) to only access Server 1 Nextcloud but not Jellyfin and block access to Server 2
Right now i can access all machines in my lan from all Peers.
Iptables rules:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s7 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0
I followed this tutorial, from Justin Ludwig because Site to Point topology is very similar to mine.
So i tried to replicate Iptables rules with these rules:
# masquerading
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x200
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x200
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE
# wireguard ingress
PreUp = iptables -I INPUT -p udp --dport 2332 -j ACCEPT
PostDown = iptables -D INPUT -p udp --dport 2332 -j ACCEPT
# site firewall
PreUp = iptables -N wg0-filter
PreUp = iptables -N to-photoprism
PreUp = iptables -N to-jellyfin
PreUp = iptables -N to-nextcloud
PreUp = iptables -I INPUT -i wg0 -j wg0-filter
PreUp = iptables -I FORWARD -i wg0 -j wg0-filter
PreUp = iptables -I FORWARD -o wg0 -j wg0-filter
PreUp = iptables -I OUTPUT -o wg0 -j wg0-filter
PreUp = iptables -A wg0-filter -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A wg0-filter -d 192.168.1.63 -p tcp --dport 2342 -j to-photoprism
PreUp = iptables -A wg0-filter -d 192.168.1.23 -p tcp --dport 8096 -j to-jellyfin
PreUp = iptables -A wg0-filter -d 192.168.1.23 -p tcp --dport 80 -j to-nextcloud
PreUp = iptables -A wg0-filter -j REJECT
PreUp = iptables -A to-photoprism -s 10.0.0.2 -j ACCEPT
PreUp = iptables -A to-jellyfin -s 10.0.0.2 -j ACCEPT
PreUp = iptables -A to-jellyfin -s 10.0.0.3 -j ACCEPT
PreUp = iptables -A to-nextcloud -s 10.0.0.2 -j ACCEPT
PreUp = iptables -A to-nextcloud -s 10.0.0.3 -j ACCEPT
PostDown = iptables -D INPUT -i wg0 -j wg0-filter
PostDown = iptables -D FORWARD -i wg0 -j wg0-filter
PostDown = iptables -D FORWARD -o wg0 -j wg0-filter
PostDown = iptables -D OUTPUT -o wg0 -j wg0-filter
PostDown = iptables -F to-photoprism
PostDown = iptables -F to-jellyfin
PostDown = iptables -F to-nextcloud
PostDown = iptables -X to-photoprism
PostDown = iptables -X to-jellyfin
PostDown = iptables -X to-nextcloud
This didn't worked,
Peer 1 and Peer 2 can reach Server 1, both services, but not Server 2.
I'm not so savvy to understand what i have to change to make this work, I would be happy if someone can chime in.
Thanks in advance
Best Answer
Overall your iptables rules look good to me; although:
In the question description, you mention Server 2 has an IP address of
192.168.1.62
; but in in the iptables rules, you seem to be using192.168.1.63
for it:Is that a typo in one place or the other?
In the description, you mention Peer 2 (
10.0.0.3
) should not have access to Jellyfin; but in the iptables rules, you grant it access with this line:Perhaps you meant to remove this rule?
I don't see any
PostDown
commands to tear down thewg0-filter
chain, like you have for the other custom chains; make sure you include them:Without these tear-down commands, if you make changes and restart, the
wg0-chain
may end up using the old rules from previous attempts, instead of newer updates. (And make sure you follow the Making Config Changes advice from the article, to shut down the WireGuard interface before making config changes and restarting -- runsudo iptables-save
when the interface is down to double-check if you have any old rules or chains that haven't been cleaned up.)