Help: Wireguard gateway - Portainer, Iptables, Portforwarding [SOLVED]

Hello everyone,
I’ve been trying to get this to work for a couple of days now with no luck. I hope someone here can help or point me to the right direction.

I’m trying to self-host some services at home and for that I’m linking up a low-powered server with a micro VPS via wireguard. Since I want to do more container stuff and also separate public, public with a vpn, and LAN only services I’m using portainer with a wireguard client container.

The WG link works and for starters I just want to make a nginx hello world demo container public (I just point it to the wireguard container in the networking section). I can get the VPS (ens3: 10.0.0.207; wg0: 10.183.5.1) to access the nginx website with curl on it’s wg peer ip (10.183.5.4), but I can’t seem to manage to port forward correctly. I.e. I can’t manage to reach it via the ens3 interface / 10.0.0.207 or the public IP. So, I assume that something in my iptables is wrong. I’m quite new to those beyond the basics, so maybe somebody can have a look:

ens3 is the VPS ethernet that’s connected to the internet with ip 10.0.0.207
wg0 is the wireguard network with ip 10.183.5.1
The container has the wg ip 10.183.5.4
There are some more rules in InstanceServices prepopulated by Oracle.

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-A INPUT -i ens3 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens3 -p udp -m udp --dport 51820 -m comment --comment wireguard-input-rule -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i ens3 -o wg0 -p tcp -m tcp --sport 80 --dport 80 -j ACCEPT
-A FORWARD -i wg0 -o wg0 -j ACCEPT
-A FORWARD -d 10.183.5.0/24 -i ens3 -o wg0 -j ACCEPT
-A FORWARD -s 10.183.5.0/24 -i wg0 -o ens3 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d XXXXXX -j InstanceServices

 sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 10.0.0.207/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.183.5.4:80
-A POSTROUTING -d 10.183.5.4/32 -o wg0 -p tcp -m tcp --dport 80 -j SNAT --to-source 10.183.5.1
-A POSTROUTING -s 10.183.5.0/24 -o ens3 -j MASQUERADE

Can you spot anything wrong here?

Any advice is welcome, thank you!
Alex

Just in case anyone finds this. The IP tables were largely correct. The issue was with the Oracle Cloud security list. I opened port 80 - however in addition to setting the destination port to 80 I also set the source port to 80 instead of leaving it open to all ports. This was the culprit in the end - I still don’t quite understand why, maybe because everything is virtualized and there’s probably still a layer of NAT somewhere.

The ip tables that worked look like this:

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-A INPUT -i ens3 -p udp -m udp --dport 51820 -m comment --comment wireguard-input-rule -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.183.5.4/32 -i ens3 -o wg0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i wg0 -o wg0 -j ACCEPT
-A FORWARD -d 10.183.5.0/24 -i ens3 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment wireguard-forward-rule -j ACCEPT
-A FORWARD -s 10.183.5.0/24 -i wg0 -o ens3 -m comment --comment wireguard-forward-rule -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.183.5.4
-A POSTROUTING -s 10.183.5.0/24 -o ens3 -m comment --comment wireguard-nat-rule -j MASQUERADE