I am trying to restrict my Wireguard VPN to only allow SSH connections between the clients and I am struggling to setup proper iptables PostUp
rules for the wireguard server.
My Interface has the following PostUp
rules:
PostUp = iptables -A FORWARD -i %i -p tcp --dport 22 -j ACCEPT; iptables -A FORWARD -o %i -p tcp --dport 22 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -p tcp --dport 22 -j ACCEPT; iptables -D FORWARD -o %i -p tcp --dport 22 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
This for some reason allows access to all ports.
I have also tried to use iptables -A FORWARD -p tcp ! -dport 22 -j DROP
as an additional very first rule. But for some reason I only managed to configure to block all traffic (including ssh).
Is there any way to allow the clients to only have access to port 22?