0

I am trying to restrict my Wireguard VPN to only allow SSH connections between the clients and I am struggling to setup proper iptables PostUp rules for the wireguard server.

My Interface has the following PostUp rules:

PostUp   = iptables -A FORWARD -i %i -p tcp --dport 22 -j ACCEPT; iptables -A FORWARD -o %i -p tcp --dport 22 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -p tcp --dport 22 -j ACCEPT; iptables -D FORWARD -o %i -p tcp --dport 22 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

This for some reason allows access to all ports.

I have also tried to use iptables -A FORWARD -p tcp ! -dport 22 -j DROP as an additional very first rule. But for some reason I only managed to configure to block all traffic (including ssh).

Is there any way to allow the clients to only have access to port 22?

P.R.
  • 103
  • 1
  • 5
  • Is SSH really only between clients? I am confused about what you are trying to do with the `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE` rule – Zoredache Mar 06 '20 at 22:58
  • Thanks for your answer. I have tried to condense my setup, but maybe that was a mistake. In truth wireguard is running on a cloud machine that acts as a (NAT) router that allows the wireguard clients to access an internal network. That is what the masquerade is doing. I am not sure if that changes anything with the filters. – P.R. Mar 09 '20 at 12:39
  • One more thing, in case it helps. The machine has only one physical interface: `eth0` and the wireguard (virtual) interface is `wg0server`. – P.R. Mar 09 '20 at 12:49

1 Answers1

2

I would be tempted to add a chain called perhaps called wireguard or something else with rules like these. These would be get added by something outside wireguard.

# create wireguard chain
iptables -t filter -N wireguard
# permit anything coming from or going to port 22
iptables -t filter -A wireguard -p tcp --dport 1024:65535 --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A wireguard -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# drop everything else
iptables -t filter -A wireguard -j DROP

Then in your wireguard PostUp, just add rules like this.

iptables -t filter -I FORWARD -i %i -j wireguard
iptables -t filter -I FORWARD -o %i -j wireguard
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • This seems to work. It just took me some time as I think I had some rules left over in my iptables. This help clear them: https://serverfault.com/a/200658/457440 . After your suggestions worked really well. Using a separate chain also helped debugging a lot. – P.R. Mar 09 '20 at 13:32