# / === START OF FIREWALL === \ #

# ================== IPv4: Allow established and related connections =====================
PostUp = iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# ========================================================================================
# ================== IPv6: Allow established and related connections ======================
PostUp = ip6tables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp = ip6tables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# =========================================================================================

# ========================================== IPv4: Log outbound traffic from WireGuard VPN to any destination and port ================
# PostUp = iptables -A FORWARD -i wg0 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7
PostUp = iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
# =====================================================================================================================================
# PostUp = iptables -A FORWARD -i eth0 -o wg0 -j LOG --log-prefix "INBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
# =====================================================================================================================================

# ========================================== IPv6: Log outbound traffic from WireGuard VPN to any destination and port ================
# PostUp = ip6tables -A FORWARD -i wg0 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7
PostUp = ip6tables -A FORWARD -i wg0 -o eth0 -j ACCEPT
# =====================================================================================================================================
# PostUp = ip6tables -A FORWARD -i eth0 -o wg0 -j LOG --log-prefix "INBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7
PostUp = ip6tables -A FORWARD -i eth0 -o wg0 -j ACCEPT
# =====================================================================================================================================

# SNAT for outbound traffic
# ============================= IP Reserved for IPv4: [10.7.0.0/24] ===========================
PostUp = iptables -t nat -A POSTROUTING -o eth0 -s 10.7.0.0/24 -j SNAT --to-source 154.29.72.51
# =============================================================================================
# ============================= IP Reserved for IPv6: [fd81:bb6b:ee21::2] ======================================
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -s fddd:2c4:2c4:2c4::/24 -j SNAT --to-source 2604:f440:1::3:0:a
# ==============================================================================================================

# ============= IPv4: DELETE Allow established and related connections ================================================================
PostDown = iptables -D FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# =====================================================================================================================================
PostDown = iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# =====================================================================================================================================
# PostDown = iptables -D FORWARD -i wg0 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7
PostDown = iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
# =====================================================================================================================================

# ============= IPv6: DELETE Allow established and related connections ================================================================
PostDown = ip6tables -D FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# =====================================================================================================================================
PostDown = ip6tables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# =====================================================================================================================================
# PostDown = ip6tables -D FORWARD -i wg0 -o eth0 -j LOG --log-prefix "OUTBOUND_TRAFFIC: " --log-ip-options --log-tcp-options --log-level 7
PostDown = ip6tables -D FORWARD -i wg0 -o eth0 -j ACCEPT
# =====================================================================================================================================

# Remove SNAT rule
# ============================= IP Reserved for IPv4: [10.7.0.0/24] =============================
PostDown = iptables -t nat -D POSTROUTING -o eth0 -s 10.7.0.0/24 -j SNAT --to-source 154.29.72.51
# ===============================================================================================
# ============================= IP Reserved for IPv6: [fd81:bb6b:ee21::2] ========================================
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -s fddd:2c4:2c4:2c4::/24 -j SNAT --to-source 2604:f440:1::3:0:a
# ================================================================================================================
# / === END OF FIREWALL === \ #