theis.gaedigk/wg-easy-ca-lose
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fixed https://github.com/wg-easy/wg-easy/issues/1542

Bernd Storath
2024-12-09 09:19:06 +01:00
parent 887f4da415
commit 442947a84b
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Restrict-Access-to-Networks-with-iptables.md
+3 -3
@@ -5,7 +5,7 @@ I'll break this into two examples for clarity.
## Block LAN access for all connected clients while still allowing internet access: ## Block LAN access for all connected clients while still allowing internet access:
``` ```
- WG_POST_UP=iptables -I FORWARD -i wg0 -d 192.168.X.0/24 -j REJECT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - WG_POST_UP=iptables -I FORWARD -i wg0 -d 192.168.X.0/24 -j REJECT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- WG_POST_DOWN=iptables -I FORWARD -D wg0 -d 192.168.X.0/24 -j REJECT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - WG_POST_DOWN=iptables -D FORWARD -i wg0 -d 192.168.X.0/24 -j REJECT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
``` ```
Replace `192.168.X.0/24` with your local LAN subnet. Replace `192.168.X.0/24` with your local LAN subnet.
@@ -14,7 +14,7 @@ You can add multiple subnets separated by a comma (e.g. `192.168.X.0/24,172.X.0.
## Block LAN access except for specific clients while still allowing internet access: ## Block LAN access except for specific clients while still allowing internet access:
``` ```
- WG_POST_UP=iptables -I FORWARD -i wg0 -d 192.168.X.0/24,172.X.0.0/16 -j REJECT; iptables -I FORWARD -i wg0 -s 10.8.0.X -d 192.168.X.0/24 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - WG_POST_UP=iptables -I FORWARD -i wg0 -d 192.168.X.0/24,172.X.0.0/16 -j REJECT; iptables -I FORWARD -i wg0 -s 10.8.0.X -d 192.168.X.0/24 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- WG_POST_DOWN=iptables -I FORWARD -D wg0 -d 192.168.X.0/24,172.X.0.0/16 -j REJECT; iptables -I FORWARD -D wg0 -s 10.8.0.X -d 192.168.X.0/24 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - WG_POST_DOWN=iptables -D FORWARD -i wg0 -d 192.168.X.0/24,172.X.0.0/16 -j REJECT; iptables -D FORWARD -i wg0 -s 10.8.0.X -d 192.168.X.0/24 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
``` ```
Building on the first example we're blocking access to 192.168.X.0/24 & 172.X.0.0/16 for any clients connecting. Building on the first example we're blocking access to 192.168.X.0/24 & 172.X.0.0/16 for any clients connecting.
@@ -25,6 +25,6 @@ If you want to allow access to specific IPs (like servers) remove the /24 (e.g.
You can add multiple subnets/client IPs separated by a comma the same way explained in the previous example. You can add multiple subnets/client IPs separated by a comma the same way explained in the previous example.
## Other notes: ## Other notes:
The WG_POST_DOWN environment variable is essentially the same line as WG_POST_UP except we're substituting the `-i` for `-D` to delete the entry. The WG_POST_DOWN environment variable is essentially the same line as WG_POST_UP except we're substituting the `-I` for `-D` to delete the entry.
You should be adding these two lines under `environment:` in your docker-compose.yml file. You should be adding these two lines under `environment:` in your docker-compose.yml file.