iptables rules based on port - multiple LAN interfaces on server

[JonEhh42]

I have a server that has wan0 and lan0.

• ubuntu 22.04
• eth0 is public ip like 55.55.55.55
• lan0 is 10.50.50.0/24
• wireguard is configured as 10.51.51.0/24

By default using this install script I can connect to wireguard on the servers public ip (eth0)

• I can ping wireguard interface on server 10.51.51.1 but not any of the "lan" in 10.50.50.0/24 subnet
• This is because the iptable rules are more specific to bring in/out traffic on eth0 and ignores lan0

A workaround is iptables based on what ever the wireguard server port is running on allows wireguard clients to utilize eth0 public or eth1 private subnets without specifying the lan private range. Example if I had 4 interfaces on the server and each one had a different subnet for different vlans etc then the following iptable rules would work for all interfaces/subnets based on $port for wireguard server. In this case here I am using port 52688 (yes non standard). Thanks!

PostUp = iptables -t nat -A POSTROUTING -s 10.51.51.0/24 ! -d 10.51.51.0/24 -j MASQUERADE
PostUp = iptables -I INPUT -p udp --dport 52688 -j ACCEPT
PostUp = iptables -I FORWARD -s 10.51.51.0/24 -j ACCEPT
PostUp = iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s 10.51.51.0/24 ! -d 10.51.51.0/24 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 52688 -j ACCEPT
PostDown = iptables -D FORWARD -s 10.51.51.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT