# / === START OF FIREWALL === \ # # Allow loopback traffic PostUp = iptables -A INPUT -i lo -j ACCEPT PostUp = iptables -A OUTPUT -o lo -j ACCEPT PostUp = ip6tables -A INPUT -i lo -j ACCEPT PostUp = ip6tables -A OUTPUT -o lo -j ACCEPT # ================== IPv4: Allow established and related connections ===================== PostUp = iptables -A FORWARD -i wg1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT PostUp = iptables -A FORWARD -i eth0 -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT # ======================================================================================== # ================== IPv6: Allow established and related connections ====================== PostUp = ip6tables -A FORWARD -i wg1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT PostUp = ip6tables -A FORWARD -i eth0 -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT # ========================================================================================= # ========================================== IPv4: Log outbound traffic from WireGuard VPN to any destination and port ================ # PostUp = iptables -A FORWARD -i wg1 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7 PostUp = iptables -A FORWARD -i wg1 -o eth0 -j ACCEPT # ===================================================================================================================================== # ====================================================================================================================================# PostUp = iptables -A FORWARD -i eth0 -o wg1 -j LOG --log-prefix "INBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7PostUp = iptables -A FORWARD -i eth0 -o wg1 -j ACCEPT # ====================================================================================================================================# ========================================== IPv6: Log outbound traffic from WireGuard VPN to any destination and port ================= # PostUp = ip6tables -A FORWARD -i wg1 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7 PostUp = ip6tables -A FORWARD -i wg1 -o eth0 -j ACCEPT # ====================================================================================================================================== # ===================================================================================================================================== # PostUp = ip6tables -A FORWARD -i eth0 -o wg1 -j LOG --log-prefix "INBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7 PostUp = ip6tables -A FORWARD -i eth0 -o wg1 -j ACCEPT # ===================================================================================================================================== # ============================ SNAT for outbound traffic =================================== #PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE # =================================== IP Reserved for IPv4: [10.8.0.2] ===================== PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.2 -j SNAT --to-source 154.29.72.96 # ========================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.3] ===================== PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.3 -j SNAT --to-source 154.29.72.59 # ========================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.4] ===================== PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.4 -j SNAT --to-source 154.29.72.98 # ========================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.6] ====================== PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.6 -j SNAT --to-source 154.29.72.100 # =========================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.9] ====================== PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.9 -j SNAT --to-source 154.29.72.101 # =========================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.11] ====================== PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.11 -j SNAT --to-source 154.29.72.102 # ============================================================================================ # =================================== DNAT for inbound traffic ============================== # =================================== IP Reserved for IPv4: [10.8.0.2] =============== PostUp = iptables -t nat -A PREROUTING -d 154.29.72.96 -j DNAT --to-destination 10.8.0.2 # ==================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.3] =============== PostUp = iptables -t nat -A PREROUTING -d 154.29.72.59 -j DNAT --to-destination 10.8.0.3 # ==================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.4] =============== PostUp = iptables -t nat -A PREROUTING -d 154.29.72.98 -j DNAT --to-destination 10.8.0.4 # ==================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.6] ================ PostUp = iptables -t nat -A PREROUTING -d 154.29.72.100 -j DNAT --to-destination 10.8.0.6 # ===================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.9] ================ PostUp = iptables -t nat -A PREROUTING -d 154.29.72.101 -j DNAT --to-destination 10.8.0.9 # ====================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.11] ================ PostUp = iptables -t nat -A PREROUTING -d 154.29.72.102 -j DNAT --to-destination 10.8.0.11 # ====================================================================================== # ============= IPv4: DELETE Allow established and related connections ================================================================ PostDown = iptables -D FORWARD -i wg1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # ===================================================================================================================================== PostDown = iptables -D FORWARD -i eth0 -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT # ===================================================================================================================================== # ======================================================================================================================================= # PostDown = iptables -D FORWARD -i wg1 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7 PostDown = iptables -D FORWARD -i wg1 -o eth0 -j ACCEPT # ======================================================================================================================================= # ============= IPv6: DELETE Allow established and related connections ================================================================ PostDown = ip6tables -D FORWARD -i wg1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # ===================================================================================================================================== PostDown = ip6tables -D FORWARD -i eth0 -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT # ===================================================================================================================================== # ======================================================================================================================================== # PostDown = ip6tables -D FORWARD -i wg1 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7 PostDown = ip6tables -D FORWARD -i wg1 -o eth0 -j ACCEPT # ======================================================================================================================================== # ============================ SNAT for outbound traffic =================================== #PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE # =================================== IP Reserved for IPv4: [10.8.0.2] ======================= PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.2 -j SNAT --to-source 154.29.72.96 # ============================================================================================ # =================================== IP Reserved for IPv4: [10.8.0.3] ===================== PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.3 -j SNAT --to-source 154.29.72.59 # ========================================================================================== # =================================== IP Reserved for IPv4: [10.8.0.4] ======================= PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.4 -j SNAT --to-source 154.29.72.98 # ============================================================================================ # =================================== IP Reserved for IPv4: [10.8.0.6] ======================== PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.6 -j SNAT --to-source 154.29.72.100 # ============================================================================================= # =================================== IP Reserved for IPv4: [10.8.0.9] ======================== PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.9 -j SNAT --to-source 154.29.72.101 # ============================================================================================= # =================================== IP Reserved for IPv4: [10.8.0.10] ======================= PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.10 -j SNAT --to-source 154.29.72.98 # ============================================================================================= # =================================== IP Reserved for IPv4: [10.8.0.11] ======================== PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.8.0.11 -j SNAT --to-source 154.29.72.102 # ============================================================================================== # # =================================== DNAT for inbound traffic ========================== # # =================================== IP Reserved for IPv4: [10.8.0.2] ================= PostDown = iptables -t nat -D PREROUTING -d 154.29.72.96 -j DNAT --to-destination 10.8.0.2 # # ====================================================================================== # # =================================== IP Reserved for IPv4: [10.8.0.2] ================= PostDown = iptables -t nat -D PREROUTING -d 154.29.72.59 -j DNAT --to-destination 10.8.0.3 # # ====================================================================================== # # =================================== IP Reserved for IPv4: [10.8.0.4] ================= PostDown = iptables -t nat -D PREROUTING -d 154.29.72.98 -j DNAT --to-destination 10.8.0.4 # # ====================================================================================== # # =================================== IP Reserved for IPv4: [10.8.0.6] ================== PostDown = iptables -t nat -D PREROUTING -d 154.29.72.100 -j DNAT --to-destination 10.8.0.6 # # ======================================================================================= # # =================================== IP Reserved for IPv4: [10.8.0.9] ================== PostDown = iptables -t nat -D PREROUTING -d 154.29.72.101 -j DNAT --to-destination 10.8.0.9 # # ======================================================================================= # # =================================== IP Reserved for IPv4: [10.8.0.11] ================== PostDown = iptables -t nat -D PREROUTING -d 154.29.72.102 -j DNAT --to-destination 10.8.0.11 # ========================================================================================== # =============================== IP Reserved for IPv6: [fd81:bb6b:ee21::2] ================================== PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -s fd81:bb6b:ee21::2 -j SNAT --to-source 2604:f440:1::3:0:b # ============================================================================================================ # =============================== IP Reserved for IPv6: [fd81:bb6b:ee21::3] ================================== PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -s fd81:bb6b:ee21::3 -j SNAT --to-source 2604:f440:1::3:0:c # ============================================================================================================ # =============================== IP Reserved for IPv6: [fd81:bb6b:ee21::4] ================================== PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -s fd81:bb6b:ee21::4 -j SNAT --to-source 2604:f440:1::3:0:d # ============================================================================================================ # ================================= SNAT for outbound traffic END ============================================ # Allow loopback traffic PostDown = iptables -D INPUT -i lo -j ACCEPT PostDown = iptables -D OUTPUT -o lo -j ACCEPT PostDown = ip6tables -D INPUT -i lo -j ACCEPT PostDown = ip6tables -D OUTPUT -o lo -j ACCEPT # / === END OF FIREWALL === \ #