I have two servers that I can access one of them via wireguard. I have a service that listen on 4559 port on the second server. how can I port forward to second server via iptables.
[laptop] [server1] [server2]
10.10.0.1 (wireguard) -------> 10.10.0.2:4559 --------> 192.168.1.20:4559
To forward TCP port 4559 from your WireGuard interface on server1 to server2, add this to the [Interface] section of server1's WireGuard config:
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t nat -A PREROUTING -i %i -p tcp --dport 4559 -j DNAT --to-destination 192.168.1.20
PreUp = iptables -t nat -A POSTROUTING ! -o %i -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i %i -p tcp --dport 4559 -j DNAT --to-destination 192.168.1.20
PostDown = iptables -t nat -D POSTROUTING ! -o %i -j MASQUERADE
Replace -p tcp with -p udp if it's UDP port 4559 you're trying to forward.
That will work just fine to access server2 from the laptop as 10.10.0.2:4559; but your particular scenario sounds a lot like the common "point-to-site" access pattern -- with the laptop being the remote "point", and server1 providing access to a larger "site". With that pattern, you normally would either configure the router at the site to route your WireGuard subnet (like 10.10.0.0/24) directly via server1 (no NAT), or you would set up SNAT on server1 to masquerade packets from WireGuard to the site.
With either of those point-to-site approaches, you would access port 4559 on server2 from the laptop as 192.168.1.20:4559 (just like if the laptop was physically on the site's LAN). Here's a good overview of your WireGuard point-to-site routing options, with links to step-by-step guides if you want to further explore those options.
