Firewall

[mcordes92]

Hello,

I need help with the firewall. I have the following problem: I have my Wireguard client active on my computer and I have a system on the PC that has port 3001 and also listens on all IP addresses. In the firewall, I have also set that all peers can communicate with each other, but now I cannot reach my service on port 3001.

[eduardogsilva]

Hello @mcordes92

Are both clients on the same wireguard instance?

Can you share a print screen of your firewall screen?
Also, please go to Console > iptables and copy the output to paste here (don't forget to add de code formatting here to make it easier to read.

Warning: if you have any sensitive information, on your firewall, you should remove from the printscreen and from iptables output.

cheers.

[mcordes92]

Here is the iptables

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
7292K 3453M WGWADM_FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain WGWADM_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
5927K 3356M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  wg0    eth0    0.0.0.0/0            127.0.0.250         
    0     0 ACCEPT     0    --  wg1    eth0    0.0.0.0/0            127.0.0.250         
    0     0 ACCEPT     6    --  eth0   wg+     0.0.0.0/0            10.9.0.12            tcp dpt:9109
    0     0 REJECT     0    --  wg+    eth0    0.0.0.0/0            172.16.0.0/12        reject-with icmp-port-unreachable
1325K   94M ACCEPT     0    --  wg+    eth0    0.0.0.0/0            0.0.0.0/0           
38649 2645K ACCEPT     0    --  wg1    wg0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  wg1    eth0    0.0.0.0/0            10.212.0.0/16       
    0     0 ACCEPT     0    --  wg1    eth0    0.0.0.0/0            192.168.0.0/24      
    0     0 ACCEPT     0    --  wg0    eth0    0.0.0.0/0            10.212.0.0/16       
  505 30300 ACCEPT     0    --  wg0    wg0     0.0.0.0/0            0.0.0.0/0           
  196 16014 ACCEPT     0    --  wg1    wg1     0.0.0.0/0            0.0.0.0/0           
   27  1080 DROP       0    --  wg+    wg+     0.0.0.0/0            0.0.0.0/0           
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1321K   93M WGWADM_PREROUTING  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  777 50499 DOCKER_OUTPUT  0    --  *      *       0.0.0.0/0            127.0.0.11          

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1288K   92M WGWADM_POSTROUTING  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  777 50499 DOCKER_POSTROUTING  0    --  *      *       0.0.0.0/0            127.0.0.11          

Chain DOCKER_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       6    --  *      *       0.0.0.0/0            127.0.0.11           tcp dpt:53 to:127.0.0.11:37073
  777 50499 DNAT       17   --  *      *       0.0.0.0/0            127.0.0.11           udp dpt:53 to:127.0.0.11:38758

Chain DOCKER_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       6    --  *      *       127.0.0.11           0.0.0.0/0            tcp spt:37073 to::53
    0     0 SNAT       17   --  *      *       127.0.0.11           0.0.0.0/0            udp spt:38758 to::53

Chain WGWADM_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  wg0    eth0    0.0.0.0/0            127.0.0.250         
    0     0 MASQUERADE  0    --  wg1    eth0    0.0.0.0/0            127.0.0.250         
1251K   89M MASQUERADE  0    --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain WGWADM_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       17   --  wg0    *       0.0.0.0/0            10.8.0.1             udp dpt:53 to:127.0.0.250:53
    0     0 DNAT       6    --  wg0    *       0.0.0.0/0            10.8.0.1             tcp dpt:53 to:127.0.0.250:53
    0     0 DNAT       17   --  wg1    *       0.0.0.0/0            10.9.0.1             udp dpt:53 to:127.0.0.250:53
    0     0 DNAT       6    --  wg1    *       0.0.0.0/0            10.9.0.1             tcp dpt:53 to:127.0.0.250:53
    0     0 DNAT       6    --  eth0   *       0.0.0.0/0            172.18.0.3           tcp dpt:9109 to:10.9.0.12:9109

And the Firewall

[eduardogsilva]

Hello @mcordes92

• Can you ping between both peers?
• Are both peers in the same wg instance?

If you answered yes for both questions, your firewall doesn't seen to be blocking any traffic.
If they are in different networks and they do not use the vpn as default route, you may need to add routes on clients to the other networks.

It doesn't look that is an issue with your firewall configuration.
Anyway, if you want to rule out the firewall from the equation, you can connect to your wireguard_webadmin cli by running

docker exec -it wireguard_webadmin bash
and then run: iptables -I FORWARD -j ACCEPT
after your tests, you can run iptables -D FORWARD -j ACCEPT to remove the rule, or just restart wireguard from the webinterface.

Make sure you can ping between both hosts first.

[eduardogsilva]

are you trying to connect/reach the main peer IP address or an ip behind the peer? (site-to-site)

[mcordes92]

my English is not that good, it is difficult to explain my configuration behind it because there is a vlan in between

[eduardogsilva]

Write in your language and ask for GPT to translate for you, then just paste the result here.

Anyway, your issue doesn't appear to be firewall related. try the suggestions that I gave you, but I need a lot more information about your environment. If it's a site to site connection double check if the networks behind the peer are listed at "Peer IP Addresses and networks".

The networks must be listed at allowedips for that peer. It's a wireguard requirement.

[mcordes92]

As seen in the firewall, I have eth0 where the network from my VLAN is located.

I have directly connected my Fritzbox via Wireguard so that it has access to wg0 and eth0 from wg1.

I performed the ping check between two direct Wireguard peers, which works without any problems. However, if I disable Wireguard on my phone so that it goes through the site-to-site connection from the Fritzbox, I cannot ping.

This is how I envision it:

wg0 and wg1 have access to all networks from eth0.
wg1 peers are allowed to see each other and access services.
wg1 can access wg0, but not vice versa.

[mcordes92]

I just checked again, I can't ping the IP of a wg1 peer directly from the VPN server either.

[eduardogsilva]

Looking at your firewall rules, I resumed the following:

wg+ -> eth0 172.16.0.0/12 REJECT
wg+ -> eth0 ACCEPT
wg1 -> wg0 ACCEPT

wg1 -> eth0 10.212.0.0/16 and 192.168.0.0/24 ACCEPT
wg0 -> eth0 10.212.0.0/16 ACCEPT

wg0 -> wg0 ACCEPT
wg1 -> wg1 ACCEPT

wg+ -> wg+ DROP

FORWARD POLICY: DROP

wg+ refers to any wireguard interface.
eth0 is your 'exit' interface.

Notes:
1- All traffic entering wg+ and exiting through eth0, is accepted except the destination 172.16.0.0/12
so your latest rules that allow traffic to 10.212.0.0/16 and 192.168.0.0/24 are not actually being used.

2- traffic from wg1 to wg0 is allowed, but not from wg0 to wg1.

3- When analyzing iptables rules, read from top to bottom. If a packet matches a rule, it stops there. If it doesn't match, it proceeds to the next rule. If no rule matches, the chain policy is applied.

4- Take a look on the counters (columns pkts and bytes) from your iptables output. Every time a packet is matched, the counters increase. Columns with 0, means that the rule is probably not being used.

5- Maybe your firewall is not doing exactly what you expect, so I would recommend reviewing the rules.

6- For isolating any firewall issues, I would strongly suggest to insert a "ALLOW ALL" rule as I mentioned before, and running your tests again.

7- Also review my other messages, for site-to-site configurations, ensure that the networks behind the client are listed in the AllowedIPs. WireGuard requires precise configuration unless you are masquerading the traffic before it leaves the client.

You have some debugging and tests to do until you find the issue. Looks like something in your network environment, not actually docker. just make sure to insert the rule that I mentioned on point 6 to rule out any firewall issue.

Cheers