[plug] IPTables

Alex H. alex at spottedmouse.com
Thu Feb 12 11:03:05 AWST 2026 

Thanks for this. My mistake was:

 

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

 

instead of:

 

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 443 -m state --state NEW -j ACCEPT

 

Having separate statements for the established, related packets and new package resolved my problem

 

Thanks for all your help

Alex

 

 

From: plug <plug-bounces at plug.org.au> On Behalf Of Byron Hammond via plug
Sent: Thursday, 12 February 2026 9:14
To: Alex H. <alex at spottedmouse.com>
Cc: plug at plug.org.au
Subject: Re: [plug] IPTables

 

Not answering the question here but I just wanted to add that you will need to have `sysctl net.ipv4.ip_forward` enabled as well if not already.

 

Google something like "ip4 forward sysctl"

 

On Wed, 11 Feb 2026 at 18:54, Alex H. via plug <plug at plug.org.au <mailto:plug at plug.org.au> > wrote:

Hi all,

 

Just having some fun with iptables. I am trying to route traffic from AWS(10.0.0.1) to my local server (10.0.0.2) using wireguard. 

 

I have setup a connection on vpn0 on both servers, but I am struggling a little with iptables.

 

While I am experimenting I setup the following iptables rules using this script on the AWS VPN server. 

I plan to include some of these inside the wireguard configuration once I have it all working.

 

root at vpn:~# cat routeTraffic.sh

#!/bin/bash

 

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

 

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD ACCEPT

 

iptables -A INPUT -i ens5 -p tcp -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -i vpn0 -p tcp -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -i ens5 -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A INPUT -i ens5 -p tcp -m tcp --dport 53 -j ACCEPT

iptables -A INPUT -i ens5 -p udp -m udp --dport 53 -j ACCEPT

iptables -A INPUT -i ens5 -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -i ens5 -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -i ens5 -p udp -m udp --dport 55107 -j ACCEPT

iptables -A INPUT -i vpn0 -p udp -m udp --dport 55107 -j ACCEPT

iptables -A INPUT -i ens5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

 

iptables -A OUTPUT -j ACCEPT

 

# 1. Redirect the incoming packet to the tunnel destination

iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53 <http://10.0.0.2:53> 

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 10.0.0.2:53 <http://10.0.0.2:53> 

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 <http://10.0.0.2:80> 

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443 <http://10.0.0.2:443> 

 

# 2. Allow the traffic through via the FORWARD chain

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p udp -d 10.0.0.2 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -j LOG

 

# 3. Apply Masquerading to ensure return traffic goes back through the server

iptables -t nat -A POSTROUTING -o vpn0 -j MASQUERADE

 

Initially I had “iptables -P FORWARD DROP” with the hope of adding a white-list of allowed rules. However, this didn’t work. I then added the LOG statement which produces the following:

 

Feb 11 10:46:19 vpn.host.com <http://vpn.host.com>  kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=64296 RES=0x00 ACK SYN URGP=0

Feb 11 10:46:19 vpn.host.com <http://vpn.host.com>  kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=42901 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK URGP=0

Feb 11 10:46:19 vpn.host.com <http://vpn.host.com>  kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=2788 TOS=0x00 PREC=0x00 TTL=63 ID=42902 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK PSH URGP=0

Feb 11 10:46:19 vpn.host.com <http://vpn.host.com>  kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.X.X LEN=2788 TOS=0x00 PREC=0x00 TTL=63 ID=42904 DF PROTO=TCP SPT=80 DPT=55784 WINDOW=502 RES=0x00 ACK PSH URGP=0

Feb 11 10:46:38 vpn.host.com <http://vpn.host.com>  kernel: IN=vpn0 OUT=ens5 MAC= SRC=10.0.0.2 DST=176.X.Y.Y LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=443 DPT=59476 WINDOW=64860 RES=0x00 ACK SYN URGP=0

 

Any suggestions on what FORWARD rule I need to add for this to work with FORWARD DROP ? It looks like these are the response packets which come from VPN0 and are going back to the internet on ENS5. I though the “NEW,ESTABLISHED,RELATED” statement would handle these as they are part of the response in return an accepted request.

 

Any thought or suggestions would be most helpful.

Kind regards

Alex

_______________________________________________
PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au> 
https://lists.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.org.au <mailto:committee at plug.org.au> 
PLUG Membership: http://www.plug.org.au/membership

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.plug.org.au/pipermail/plug/attachments/20260212/8a9bffe7/attachment.htm>

More information about the plug mailing list