Reasoning for (number of) firewall rules?

[axelsimon]

Hi,

First of all, thanks for your work, your very detailed article and for taking the time to turn it all into an Ansible playbook.

Keeping in mind that my knowledge of firewall rules is still quite crude, I was trying to understand why your setup uses 7 rules when other guides I've seen only use one:

iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

(ens3 or eth0 or whatever your uplink interface is called)

or three:

iptables -A FORWARD -i %i -j ACCEPT
iptables -A FORWARD -o %i -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(Thes other setups I mention also put these rules in the wgX.conf, to ensure they are added and removed by Wireguard when the wg interface is brought up and down, as necessary, and does it for both IPv4 and IPv6. Example: PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE)

Thanks!

[iamckn]

Hi,

In this setup, the purpose is to ensure that no leakage of traffic happens when you're on VPN. I also have a custom DNS server which is hosted on the VPN server and I need DNS traffic to remain in this tunnel. Finally, this setup assumes a situation where no traffic is allowed unless explicitly allowed by the firewall. These rules therefore ensure that you can lock down the VPN server and the rules here would take care of things for you. The setup would still work with fewer rules if you aren't going to strictly enforce what taffic is allowed through the firewall. I've done basic explanations in the article but I'd be happy to expound on specific rules if need be.