[plug] IPTables

Byron Hammond byronester at gmail.com
Thu Feb 12 09:13:39 AWST 2026 

Not answering the question here but I just wanted to add that you will need
to have `sysctl net.ipv4.ip_forward` enabled as well if not already.

Google something like "ip4 forward sysctl"

On Wed, 11 Feb 2026 at 18:54, Alex H. via plug <plug at plug.org.au> wrote:

> Hi all,
>
>
>
> Just having some fun with iptables. I am trying to route traffic from
> AWS(10.0.0.1) to my local server (10.0.0.2) using wireguard.
>
>
>
> I have setup a connection on vpn0 on both servers, but I am struggling a
> little with iptables.
>
>
>
> While I am experimenting I setup the following iptables rules using this
> script on the AWS VPN server.
>
> I plan to include some of these inside the wireguard configuration once I
> have it all working.
>
>
>
> root at vpn:~# cat routeTraffic.sh
>
> #!/bin/bash
>
>
>
> iptables -F
>
> iptables -X
>
> iptables -t nat -F
>
> iptables -t nat -X
>
> iptables -t mangle -F
>
> iptables -t mangle -X
>
>
>
> iptables -P INPUT DROP
>
> iptables -P OUTPUT DROP
>
> iptables -P FORWARD ACCEPT
>
>
>
> iptables -A INPUT -i ens5 -p tcp -m tcp --dport 22 -j ACCEPT
>
> iptables -A INPUT -i vpn0 -p tcp -m tcp --dport 22 -j ACCEPT
>
> iptables -A INPUT -i ens5 -p tcp -m tcp --dport 25 -j ACCEPT
>
> iptables -A INPUT -i ens5 -p tcp -m tcp --dport 53 -j ACCEPT
>
> iptables -A INPUT -i ens5 -p udp -m udp --dport 53 -j ACCEPT
>
> iptables -A INPUT -i ens5 -p tcp -m tcp --dport 80 -j ACCEPT
>
> iptables -A INPUT -i ens5 -p tcp -m tcp --dport 443 -j ACCEPT
>
> iptables -A INPUT -i ens5 -p udp -m udp --dport 55107 -j ACCEPT
>
> iptables -A INPUT -i vpn0 -p udp -m udp --dport 55107 -j ACCEPT
>
> iptables -A INPUT -i ens5 -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
>
>
>
> iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
>
>
> iptables -A OUTPUT -j ACCEPT
>
>
>
> # 1. Redirect the incoming packet to the tunnel destination
>
> iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination
> 10.0.0.2:53
>
> iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination
> 10.0.0.2:53
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 10.0.0.2:80
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination
> 10.0.0.2:443
>
>
>
> # 2. Allow the traffic through via the FORWARD chain
>
> iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 53 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -p udp -d 10.0.0.2 --dport 53 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 443 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -j LOG
>
>
>
> # 3. Apply Masquerading to ensure return traffic goes back through the
> server
>
> iptables -t nat -A POSTROUTING -o vpn0 -j MASQUERADE
>
>
>
> Initially I had “iptables -P FORWARD DROP” with the hope of adding a
> white-list of allowed rules. However, this didn’t work. I then added the
> LOG statement which produces the following:
>
>
>
> Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2
> DST=176.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80
> DPT=55784 WINDOW=64296 RES=0x00 ACK SYN URGP=0
>
> Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2
> DST=176.X.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=42901 DF PROTO=TCP SPT=80
> DPT=55784 WINDOW=502 RES=0x00 ACK URGP=0
>
> Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2
> DST=176.X.X.X LEN=2788 TOS=0x00 PREC=0x00 TTL=63 ID=42902 DF PROTO=TCP
> SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK PSH URGP=0
>
> Feb 11 10:46:19 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2
> DST=176.X.X.X LEN=2788 TOS=0x00 PREC=0x00 TTL=63 ID=42904 DF PROTO=TCP
> SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK PSH URGP=0
>
> Feb 11 10:46:38 vpn.host.com kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2
> DST=176.X.Y.Y LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=443
> DPT=59476 WINDOW=64860 RES=0x00 ACK SYN URGP=0
>
>
>
> Any suggestions on what FORWARD rule I need to add for this to work with
> FORWARD DROP ? It looks like these are the response packets which come from
> VPN0 and are going back to the internet on ENS5. I though the
> “NEW,ESTABLISHED,RELATED” statement would handle these as they are part of
> the response in return an accepted request.
>
>
>
> Any thought or suggestions would be most helpful.
>
> Kind regards
>
> Alex
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> https://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.plug.org.au/pipermail/plug/attachments/20260212/b1d45af4/attachment.htm>

More information about the plug mailing list