IPTABLES and PING with Wireguard [RESOLVED]

Message

lostinspace2011 · Post by **lostinspace2011** » Wed Feb 11, 2026 11:01 am

I am trying to setup my firewall to allow me to ping my wireguard client and server interface. I have setup a wireguard tunnel on vpn0 between Host A 10.0.0.1 as the VPN server and Host B with 10.0.0.2 as the VPN client.

However with IPTABLES enabled I am not able to ping 10.0.0.1 from Host B (10.0.0.2)

I have tried a number of rules including:

Code: Select all

#Reject PING
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#Allow PING on vpn0
-A INPUT -i vpn0 -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -o vpn0 -p icmp --icmp-type echo-reply -j ACCEPT

But I am only able to get the PING to work if I disable iptables completely.

I am able to ping other devices on my local network successfully.

Any suggestions are appreciated.

New at Gentoo · Post by **pietinger** » Wed Feb 11, 2026 10:34 pm

Is this problem solved with the solution in your other thread ?

lostinspace2011 · Post by **lostinspace2011** » Thu Feb 12, 2026 3:00 am

Unfortunately not

Post by Hu » Thu Feb 12, 2026 11:40 am

Please show the output of iptables-save from the ping recipient when ping is not working.

lostinspace2011 · Post by **lostinspace2011** » Thu Feb 12, 2026 11:50 am

Adding

Code: Select all

-A INPUT -i vpn0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Seems to have resolved this issue.

Post by Hu » Thu Feb 12, 2026 3:19 pm

That suggests that you had the ping working properly before. Your problem was you were blocking the pong, so the remote system answered you, but you discarded the answer. The pong is considered to be associated with the connection initiated by the ping, so the conntrack rule allows the pong to arrive.