I want to use an ubuntu 18.04 box (at 192.168.1.50) running a WireGuard client for a commercial VPN as gateway to the LAN. WG is using wg-quick and enabled as a service. Unbound is installed and systemd-resolved is set to DNSStubListener=no. resolv.conf is set to use the same DNS server designated by the VPN provider (per wg0.conf).
The main router is at 192.168.1.1 and blocks external access to the VPN gateway (I know INPUT is open).
The gateway is working, but the IPtables rules need work. How to tighten the rules when the goal is only to allow the box to work as a gateway? I want to use IPtables only for the config necessary to make this work, all else should go in UFW, which is not yet installed. These IPtables rules will be placed in wg0.conf's PostUp/PostDown.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:domain
ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:domain
DROP tcp -- anywhere anywhere tcp dpt:domain
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
UPDATE: Although the config above works, I've flushed iptables to start anew.
