WireGuard allow access to single service on network

Lukas Knuth

1/15/23, 11:38 AM

I'm running a WireGuard server on my Raspberry Pi using the https://github.com/linuxserver/docker-wireguard image. I want to allow peers to do two things:

Connect to a single NAS via SMB
Ping the same NAS

I've written the following iptables rules to archive this (wg0 is the WireGuard interface, eth0 the one "towards" my network):

# Reset (flush) rules
iptables -t nat -F
iptables -F

# Allow WireGuard traffic
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT

# Deny any forward traffic by default
iptables --policy FORWARD DROP

# Allow SAMBA traffic to NAS
NAS="192.168.178.23/32"
iptables -A FORWARD -i wg0 -p tcp --dport 445 -d "$NAS" -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP echo request
iptables -A FORWARD -i wg0 -p icmp --icmp-type 8 -d "$NAS" -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o wg0 -p icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# NAT tunnel IP to internal IP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

These work, so when connected via WireGuard I can ping and mount the NAS via SMB but I can't ping any other Service in the network or access the HTTP interface of the NAS.

I do however have a few questions to understand exactly what I've done:

When setting INPUT/OUTPUT policy to DROP, nothing works. My assumption is that it's because the WireGuard UDP packets received on wg0 are dropped by the policy?
If I set the policy anyways and add a rule to ALLOW traffic from/to wg0, the effect would be that the container can't connect to anything via eth0 and only FORWARD traffic from wg0?
The rule allowing RELATED,ESTABLISHED traffic via wg0 should only ever match traffic that is in response to either TCP:445 or ICMP:echo-request. No need to be more specific in there (e.g. matching port/protocol), right?
The rule ALLOWing echo-responses isn't needed because the less specific rule allowing RELATED,ESTABLISHED traffic above it will match before it, right?
With all the filtering on the FORWARD chain, my assumption is that I don't need to filter on the nat tables POSTROUTING chain, because any traffic that isn't for the NAS on either TCP:445 or ICM:echo-request won't make it "this far" anyways. Is this correct?

420

0 + 0

iptables

wireguard

Score:1

Server

Justin Ludwig

1/18/23, 12:52 AM

To answer your questions briefly:

Yes
The INPUT/OUTPUT chains are used for connections to/from local sockets on all interfaces (lo, eth0, wg0, etc). Usually you don't want to block everything outbound by default because you'll end up spending time troubleshooting things you normally take for granted (DNS, DHCP, NTP, misc processes using loopback connections, etc)
Yes. Usually it's fine to just allow all RELATED,ESTABLISHED without any additional conditions (if you already allowed a connection through one way, symmetrical responses going back the other way should be fine too)
Yes
Yes

I think this iptables processing flowchart will also help you better understand how this works:

iptables Processing Flowchart

This is how I would write your rules:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# INPUT chain of filter table:

# drop known bad packets
iptables -A INPUT -m state --state INVALID -j DROP
# accept responses to established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept ICMP packets
iptables -A INPUT -p icmp -J ACCEPT
# accept loopback connections
iptables -A INPUT -i lo -J ACCEPT
# accept connections to WireGuard listen port
iptables -A INPUT -p udp --dport 51820 -J ACCEPT

# FORWARD chain of filter table:

# drop known bad packets
iptables -A FORWARD -m state --state INVALID -j DROP
# forward responses to established connections
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# forward ICMP packets from WireGuard network to NAS
iptables -A FORWARD -i wg0 -d 192.168.178.23 -p icmp -J ACCEPT
# forward SMB connections from WireGuard network to NAS
iptables -A FORWARD -i wg0 -d 192.168.178.23 -p tcp --dport 445 -J ACCEPT

# POSTROUTING chain of nat table:

# masquerade all packets forwarded to LAN
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: WireGuard allow access to single service on network

TH: WireGuard อนุญาตให้เข้าถึงบริการเดียวบนเครือข่าย

RO: WireGuard permite accesul la un singur serviciu în rețea

RU: WireGuard разрешает доступ к одному сервису в сети

VI: WireGuard cho phép truy cập vào một dịch vụ duy nhất trên mạng

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.