Hello everyone,
I’ve been trying to get this to work for a couple of days now with no luck. I hope someone here can help or point me to the right direction.
I’m trying to self-host some services at home and for that I’m linking up a low-powered server with a micro VPS via wireguard. Since I want to do more container stuff and also separate public, public with a vpn, and LAN only services I’m using portainer with a wireguard client container.
The WG link works and for starters I just want to make a nginx hello world demo container public (I just point it to the wireguard container in the networking section). I can get the VPS (ens3: 10.0.0.207; wg0: 10.183.5.1) to access the nginx website with curl on it’s wg peer ip (10.183.5.4), but I can’t seem to manage to port forward correctly. I.e. I can’t manage to reach it via the ens3 interface / 10.0.0.207 or the public IP. So, I assume that something in my iptables is wrong. I’m quite new to those beyond the basics, so maybe somebody can have a look:
ens3 is the VPS ethernet that’s connected to the internet with ip 10.0.0.207
wg0 is the wireguard network with ip 10.183.5.1
The container has the wg ip 10.183.5.4
There are some more rules in InstanceServices prepopulated by Oracle.
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-A INPUT -i ens3 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens3 -p udp -m udp --dport 51820 -m comment --comment wireguard-input-rule -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i ens3 -o wg0 -p tcp -m tcp --sport 80 --dport 80 -j ACCEPT
-A FORWARD -i wg0 -o wg0 -j ACCEPT
-A FORWARD -d 10.183.5.0/24 -i ens3 -o wg0 -j ACCEPT
-A FORWARD -s 10.183.5.0/24 -i wg0 -o ens3 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d XXXXXX -j InstanceServices
sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -d 10.0.0.207/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.183.5.4:80
-A POSTROUTING -d 10.183.5.4/32 -o wg0 -p tcp -m tcp --dport 80 -j SNAT --to-source 10.183.5.1
-A POSTROUTING -s 10.183.5.0/24 -o ens3 -j MASQUERADE
Can you spot anything wrong here?
Any advice is welcome, thank you!
Alex