Home / server / Questions / 1068004
Accepted
Asmodean
Asked: 2021-06-28 10:08:31 +0800 CST

Firewalld Forwarding Functionality with Wireguard

  • 772

I have asked before how to forward ports on a VPS running a wireguard service with ufw and iptables as the management.

I had to do this:

(56000 is a random port I chose) (10.66.66.2 is the internal ip of wireguard)

ufw route allow proto tcp to 10.66.66.2 port 56000

Then I would do this to actually forward the ports with iptables:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2

Is there a way for me to achieve this with firewalld instead? so I won't have to separate the forwarding into two places?

And does masquerading come into use here/is it needed? Since I don't know what it does nor what it is used for.

VPS wireguard wg0 conf for reference purposes:

Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 49503
PrivateKey = ***


[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
port-forwarding wireguard firewalld

1 Answers

  1. Best Answer

    From your previous UFW question, sounds like you're using WireGuard for two purposes?: 1) forward traffic from a WireGuard client of your VPS out to the Internet, and 2) forward a few public ports from your VPS back to the WireGuard client. You need masquerading (aka SNAT) for 1) and port forwarding (aka DNAT) for 2).

    The simplest way to set this up with firewalld is to bind your VPS's public Ethernet interface (eth0 in your case) to firewalld's predefined external zone, and your VPS's WireGuard interface (wg0 in your case) to firewalld's predefined internal zone. The external zone comes preconfigured with masquerading enabled; and both zones also come preconfigured to accept SSH and a few other services.

    First open your VPS's WireGuard listen port (49503 in your case) on the external zone:

    $ sudo firewall-cmd --zone=external --add-port=49503/udp

    And forward port TCP 56000 on the external zone to the same port on 10.66.66.2:

    $ sudo firewall-cmd --zone=external --add-forward-port='port=56000:proto=tcp:toaddr=10.66.66.2'

    Then bind eth0 to the external zone (which applies firewalld's configuration for the external zone to all eth0 connections):

    $ sudo firewall-cmd --zone=external --add-interface=eth0

    And bind wg0 to the internal zone:

    $ sudo firewall-cmd --zone=internal --add-interface=wg0

    Check your active zones:

    $ sudo firewall-cmd --get-active-zones
external
  interfaces: eth0
internal
  interfaces: wg0

    And check the configuration of your external zone:

    $ sudo firewall-cmd --info-zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh
  ports: 49503/udp
  protocols:
  masquerade: yes
  forward-ports: port=56000:proto=tcp:toaddr=10.66.66.2
  source-ports:
  icmp-blocks:
  rich rules:

    If everything's working correctly, save your current firewalld settings:

    $ sudo firewall-cmd --runtime-to-permanent
    • 2