iptables and WireGuard masquerading for port forwarding
by wafer from LinuxQuestions.org on (#5QY8H)
Hello. I am having some trouble with port forwarding a port from a/two WireGuard peers with iptables.
One peer (10.6.0.3), has its WireGuard configuration's AllowedIPs directive set to the WireGuard subnet (10.6.0.0/24 in this case), and one is set to 0.0.0.0/0. (10.6.0.2)
Using this iptables rule:
Code:iptables -t nat -I POSTROUTING 1 -s 10.6.0.0/24 -o eth0 -j MASQUERADEIt forwards packets like it should, and the Peer with AllowedIPs set to 0.0.0.0/0's traffic also gets forwarded through it.
And I can then forward ports to it with:
Code:iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to 10.6.0.2using 25565 for example. This works great, even the remote address gets forwarded.
Though as for Peer 10.6.0.3, things get really weird.
I can't forward ports with something like:
Code:iptables -t nat -A PREROUTING -p tcp --dport 4321 -j DNAT --to 10.6.0.3It simply just does not forward. Even appending the port at the end of the address like this:
Code:iptables -t nat -A PREROUTING -p tcp --dport 4321 -j DNAT --to 10.6.0.3:4321Does not work.
What does work, however is using this iptables rule:
Code:sudo iptables -t nat -A POSTROUTING -j MASQUERADEAnd I have no idea why. I could use this, but it also overwrites the previous masquerading rule...
Regardless of position. This wouldn't really be an issue, but it doesn't forward the remote address; and that's something I'd really like to have on 10.6.0.2.
Why does the last masquerading rule work, but not the first one??
I don't know if there is anything more to say. Sorry if it is unclear, I can elaborate if wanted.
This is just pretty frustrating. Thanks!
One peer (10.6.0.3), has its WireGuard configuration's AllowedIPs directive set to the WireGuard subnet (10.6.0.0/24 in this case), and one is set to 0.0.0.0/0. (10.6.0.2)
Using this iptables rule:
Code:iptables -t nat -I POSTROUTING 1 -s 10.6.0.0/24 -o eth0 -j MASQUERADEIt forwards packets like it should, and the Peer with AllowedIPs set to 0.0.0.0/0's traffic also gets forwarded through it.
And I can then forward ports to it with:
Code:iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to 10.6.0.2using 25565 for example. This works great, even the remote address gets forwarded.
Though as for Peer 10.6.0.3, things get really weird.
I can't forward ports with something like:
Code:iptables -t nat -A PREROUTING -p tcp --dport 4321 -j DNAT --to 10.6.0.3It simply just does not forward. Even appending the port at the end of the address like this:
Code:iptables -t nat -A PREROUTING -p tcp --dport 4321 -j DNAT --to 10.6.0.3:4321Does not work.
What does work, however is using this iptables rule:
Code:sudo iptables -t nat -A POSTROUTING -j MASQUERADEAnd I have no idea why. I could use this, but it also overwrites the previous masquerading rule...
Regardless of position. This wouldn't really be an issue, but it doesn't forward the remote address; and that's something I'd really like to have on 10.6.0.2.
Why does the last masquerading rule work, but not the first one??
I don't know if there is anything more to say. Sorry if it is unclear, I can elaborate if wanted.
This is just pretty frustrating. Thanks!