1

I have a raspi connected to the Internet with a wireguard roadwarrior tunnel to the office. The raspi should forward traffic at the "raspi Intranet" to the office net to a specific server. Also raspi has access to the specific server at port 3000.

"other clients in Raspi Net (port 3000)" ->"raspi:3000"-> Tunnel->office->Server:3000

As example: Raspi Intranet eth0 has 192.168.13.201,Tunnel Address wg0 has 10.10.10.15, Office Server deamon for Port 3000 has 192.168.1.5:3000

I had try this witout success:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.1.5:3000
iptables -A FORWARD -p tcp -d 192.168.1.5 --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
user1912399
  • 11
  • 1
  • 2

1 Answers1

0

Found the answer with this rules:

 iptables -P FORWARD DROP
    iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 3000 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3000 -j DNAT --to-destination 192.168.1.5
    iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 3000 -d 192.168.1.5 -j SNAT --to-source 10.10.10.15

The primary problem was the last rule. I must change the --to-source Adress to the tunnel Adapter Adress and not the eth0 one.

Bfo

user1912399
  • 11
  • 1
  • 2
  • Why not route all traffic? NAT is a ugly hack, ad as you have private IP's on internal net and wg net, you can route traffic as you want, and not have to rely on nat. – vidarlo Jan 12 '22 at 07:06
  • Because i will not route "all" traffic trough the tunnel. – user1912399 Jan 13 '22 at 08:06