Wireguard limiting access to services and machines in local network

Question

I'm running a Wireguard "Server" in my local network, that i reach remotely through my static public IP. I want to be able to limit access to Wireguard remote peers to services/machines in my lan, where i host other server.

Example: Server 1 (192.168.1.23 | 10.0.0.1) with Wireguard installed + Nextcloud + Jellyfin in same machine Server 2 (192.168.1.62) with Photoprism

Remote peer 1 (10.0.0.2 | dynamic ip) Remote peer 2 (10.0.0.3 | dynamic ip)

I want to:

1- Allow peer1 (10.0.0.2) to access Server 1 Nextcloud + Jellyfin and access to Server 2 to Photoprism.

2- Allow Peer2 (10.0.0.3) to only access Server 1 Nextcloud but not Jellyfin and block access to Server 2

Right now i can access all machines in my lan from all Peers.

Iptables rules:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s7 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0

I followed this tutorial, from Justin Ludwig because Site to Point topology is very similar to mine. So i tried to replicate Iptables rules with these rules:

# masquerading
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x200
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x200
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE

# wireguard ingress
PreUp = iptables -I INPUT -p udp --dport 2332 -j ACCEPT
PostDown = iptables -D INPUT -p udp --dport 2332 -j ACCEPT

# site firewall
PreUp = iptables -N wg0-filter
PreUp = iptables -N to-photoprism
PreUp = iptables -N to-jellyfin
PreUp = iptables -N to-nextcloud

PreUp = iptables -I INPUT   -i wg0 -j wg0-filter
PreUp = iptables -I FORWARD -i wg0 -j wg0-filter
PreUp = iptables -I FORWARD -o wg0 -j wg0-filter
PreUp = iptables -I OUTPUT  -o wg0 -j wg0-filter

PreUp = iptables -A wg0-filter -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A wg0-filter -d 192.168.1.63  -p tcp --dport   2342 -j to-photoprism
PreUp = iptables -A wg0-filter -d 192.168.1.23  -p tcp --dport   8096 -j to-jellyfin
PreUp = iptables -A wg0-filter -d 192.168.1.23  -p tcp --dport     80 -j to-nextcloud
PreUp = iptables -A wg0-filter -j REJECT

PreUp = iptables -A to-photoprism     -s 10.0.0.2    -j ACCEPT

PreUp = iptables -A to-jellyfin       -s 10.0.0.2    -j ACCEPT
PreUp = iptables -A to-jellyfin       -s 10.0.0.3    -j ACCEPT

PreUp = iptables -A to-nextcloud      -s 10.0.0.2    -j ACCEPT
PreUp = iptables -A to-nextcloud      -s 10.0.0.3    -j ACCEPT

PostDown = iptables -D INPUT   -i wg0 -j wg0-filter
PostDown = iptables -D FORWARD -i wg0 -j wg0-filter
PostDown = iptables -D FORWARD -o wg0 -j wg0-filter
PostDown = iptables -D OUTPUT  -o wg0 -j wg0-filter

PostDown = iptables -F to-photoprism
PostDown = iptables -F to-jellyfin
PostDown = iptables -F to-nextcloud

PostDown = iptables -X to-photoprism
PostDown = iptables -X to-jellyfin
PostDown = iptables -X to-nextcloud

This didn't worked, Peer 1 and Peer 2 can reach Server 1, both services, but not Server 2.

I'm not so savvy to understand what i have to change to make this work, I would be happy if someone can chime in.

Thanks in advance

score 0 · Accepted Answer · answered Feb 18 '22 at 03:55

Overall your iptables rules look good to me; although:

In the question description, you mention Server 2 has an IP address of 192.168.1.62; but in in the iptables rules, you seem to be using 192.168.1.63 for it:
```
 iptables -A wg0-filter -d 192.168.1.63  -p tcp --dport   2342 -j to-photoprism
```
Is that a typo in one place or the other?
In the description, you mention Peer 2 (10.0.0.3) should not have access to Jellyfin; but in the iptables rules, you grant it access with this line:
```
 iptables -A to-jellyfin       -s 10.0.0.3    -j ACCEPT
```
Perhaps you meant to remove this rule?
I don't see any PostDown commands to tear down the wg0-filter chain, like you have for the other custom chains; make sure you include them:
```
 PostDown = iptables -F wg0-filter
 PostDown = iptables -X wg0-filter
```
Without these tear-down commands, if you make changes and restart, the wg0-chain may end up using the old rules from previous attempts, instead of newer updates. (And make sure you follow the Making Config Changes advice from the article, to shut down the WireGuard interface before making config changes and restarting -- run sudo iptables-save when the interface is down to double-check if you have any old rules or chains that haven't been cleaned up.)

Thanks a lor for taking the tame to answer to my sloppy post. I'm really sorry for being sloppy. The ip was indeed wrong in my wg0.conf file. The "PostDown = iptables -X wg0-filter" was just a typo doing the post. Not it works as it should. Thanks for the great tutorials and write-ups! — plmdie, Feb 18 '22 at 12:11

Wireguard limiting access to services and machines in local network

1 Answers1