IPTables and Wireguard [Resolved]

[lostinspace2011]

Just having some fun with iptables. I am trying to route traffic from AWS(10.0.0.1) to my local server (10.0.0.2) using wireguard.

I have setup a connection on vpn0 on both servers, but I am struggling a little with iptables.

While I am experimenting I setup the following iptables rules using this script on the AWS VPN server.
I plan to include some of these inside the wireguard configuration once I have it all working.

Code: Select all

root@vpn:~# cat routeTraffic.sh
#!/bin/bash

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT

iptables -A INPUT -i ens5 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i vpn0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ens5 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ens5 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ens5 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ens5 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ens5 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -i ens5 -p udp -m udp --dport 55107 -j ACCEPT
iptables -A INPUT -i vpn0 -p udp -m udp --dport 55107 -j ACCEPT
iptables -A INPUT -i ens5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -j ACCEPT

# 1. Redirect the incoming packet to the tunnel destination
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 10.0.0.2:53
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443

# 2. Allow the traffic through via the FORWARD chain
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -d 10.0.0.2 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG

# 3. Apply Masquerading to ensure return traffic goes back through the server
iptables -t nat -A POSTROUTING -o vpn0 -j MASQUERADE

Initially I had “iptables -P FORWARD DROP” with the hope of adding a white-list of allowed rules. However, this didn’t work. I then added the LOG statement which produces the following:

Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=64296 RES=0x00 ACK SYN URGP=0
Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=42901 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK URGP=0
Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=2788 TOS=0x00 PREC=0x00 TTL=63 ID=42902 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK PSH URGP=0
Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=2788 TOS=0x00 PREC=0x00 TTL=63 ID=42904 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK PSH URGP=0
Feb 11 10:46:38 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.Y.Y LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=443 DPT=59476 WINDOW=64860 RES=0x00 ACK SYN URGP=0

Any suggestions on what FORWARD rule I need to add for this to work with FORWARD DROP ? It looks like these are the response packets which come from VPN0 and are going back to the internet on ENS5. I though the “NEW,ESTABLISHED,RELATED” statement would handle these as they are part of the response in return an accepted request.

Any thought or suggestions would be most helpful.

[pietinger]

[...] Any thought or suggestions would be most helpful.

1. You miss the way back with this rule:

Code: Select all

iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

What you want is:

Code: Select all

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 443 -m state --state NEW -j ACCEPT

or shorter:

Code: Select all

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 443 -j ACCEPT

2. This is not necessary:

Code: Select all

iptables -P OUTPUT DROP
[....]
iptables -A OUTPUT -j ACCEPT

Just allow it immediately:

Code: Select all

iptables -P OUTPUT ACCEPT

... or dont configure it at all, because if you dont set a default policy, then the default is ACCEPT

3. ... but of course it is more secure to configure your firwall with this:

Code: Select all

#!/bin/bash

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

[now allow everything you need]

... please read number 6 of this chapter (or the the entire article):
https://wiki.gentoo.org/wiki/User:Pieti ... all#Basics


P.S.: And dont forget to allow:

Code: Select all

iptables -A INPUT       -i lo -j ACCEPT
iptables -A OUTPUT      -o lo -j ACCEPT

[lostinspace2011]

Thanks. This worked. Much appreciated.

[pietinger]

Thanks. This worked. Much appreciated.

You are very Welcome!