Skip to content

Instantly share code, notes, and snippets.

@iarp

iarp/unraid wireguard limit access block webui.sh

Created March 7, 2022 19:42
Show Gist options
  • Save iarp/4dfeee322b86376843b3ef94edd9d82b to your computer and use it in GitHub Desktop.
Save iarp/4dfeee322b86376843b3ef94edd9d82b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
unraid wireguard limit access block webui.sh
WIREGUARD_INTERFACE=wg1
WIREGUARD_LAN=10.253.2.0/24
MASQUERADE_INTERFACE=eth0
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
iptables -N WIREGUARD_INPUT
iptables -N WIREGUARD_DROP_WG0_INPUT
iptables -A INPUT -j WIREGUARD_INPUT
iptables -A WIREGUARD_INPUT -i $WIREGUARD_INTERFACE -j WIREGUARD_DROP_WG0_INPUT
iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.2.0/24 -j DROP
iptables -A WIREGUARD_DROP_WG0_INPUT -j RETURN
# Add a WIREGUARD_wg0 chain to the FORWARD chain
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
iptables -N $CHAIN_NAME
iptables -I FORWARD -i $WIREGUARD_INTERFACE -j $CHAIN_NAME
# Accept related or established traffic
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept traffic from any Wireguard IP address connected to the Wireguard server
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -d 172.17.0.10 -p tcp -m tcp --dport 9117 -j ACCEPT
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -d 172.17.0.20 -p tcp -m tcp --dport 1433 -j ACCEPT
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -d 172.17.0.4 -p tcp -m tcp --dport 5432 -j ACCEPT
# Drop everything else coming through the Wireguard interface
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
# Return to FORWARD chain
iptables -A $CHAIN_NAME -j RETURN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment