apps/wg-easy
1
0
Fork 0
mirror of https://github.com/wg-easy/wg-easy.git synced 2025-09-26 19:51:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
Page: Restrict Access to Networks with iptables
Pages
Home Restrict Access to Networks with iptables Using WireGuard Easy with Ansible Using WireGuard Easy with Caddy SSL Using WireGuard Easy with Kubernetes Using WireGuard Easy with Pi Hole Using WireGuard Easy with Podman Using WireGuard Easy with Traefik SSL Using WireGuard Easy with nginx SSL Using WireGuard Easy with rootless Podman (incl. Kubernetes yaml file generation) [Deprecated and will be useless with version 15.0.0] Using WireGuard Easy without Docker
Clone
2
Restrict Access to Networks with iptables
Bernd Storath edited this page 2024-12-09 09:19:06 +01:00
Table of Contents

This is an example of how to use iptables through the WG_POST_UP & WG_POST_DOWN environment variables to restrict LAN access for connected clients.

I'll break this into two examples for clarity.

Block LAN access for all connected clients while still allowing internet access:

- WG_POST_UP=iptables -I FORWARD -i wg0 -d 192.168.X.0/24 -j REJECT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- WG_POST_DOWN=iptables -D FORWARD -i wg0 -d 192.168.X.0/24 -j REJECT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Replace 192.168.X.0/24 with your local LAN subnet.

You can add multiple subnets separated by a comma (e.g. 192.168.X.0/24,172.X.0.0/16) iptables will create multiple rules for each destination.

Block LAN access except for specific clients while still allowing internet access:

- WG_POST_UP=iptables -I FORWARD -i wg0 -d 192.168.X.0/24,172.X.0.0/16 -j REJECT; iptables -I FORWARD -i wg0 -s 10.8.0.X -d 192.168.X.0/24 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- WG_POST_DOWN=iptables -D FORWARD -i wg0 -d 192.168.X.0/24,172.X.0.0/16 -j REJECT; iptables -D FORWARD -i wg0 -s 10.8.0.X -d 192.168.X.0/24 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Building on the first example we're blocking access to 192.168.X.0/24 & 172.X.0.0/16 for any clients connecting.

This time there's an entry added in the middle allowing a specific client access to the otherwise blocked subnet. Change 10.8.0.X to your clients IP from wg_easy's dashboard. Note: In my testing even if a different client changes their WireGuard settings to this IP they will no longer have access as there's a mismatch of IP to client list server side.

If you want to allow access to specific IPs (like servers) remove the /24 (e.g. 192.168.X.2)

You can add multiple subnets/client IPs separated by a comma the same way explained in the previous example.

Other notes:

The WG_POST_DOWN environment variable is essentially the same line as WG_POST_UP except we're substituting the -I for -D to delete the entry.

You should be adding these two lines under environment: in your docker-compose.yml file.