[Bug]: Adding anything to iptables env blocks all traffic

[DevGoran]

Describe the bug

Adding anything to let's say WG_POST_UP removes all iptables rules inside the container. No traffic possible this way.

Example

• WG_POST_UP=echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" > /etc/wireguard/post-up.txt or
• WG_POST_UP=iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Expected behavior

Should be able to configure traffic to our needs.

Relevant log output

/app # iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[tetuaoro]

@kaaax0815 why not runn custom iptables defined by the admin user after our implemented rules. This will allow the admin to overwrite wg-easy rules without bugs like that.

// run our iptables rules : PreUp, PostUp
// run custom admin user rules with possibility to overwrite wg-easy rules

EDIT: the new WG_POST_UP will be just an empty string, and our rules will be hardcoded

[kaaax0815]

@tetuaoro Hardcoding it would prevent special cases where e.g. users don't want to masquerade their ip. Adding custom Scripts is for more experienced users which should understand the consequences. And with #1333 its more clear what is run. As it will be shown to the user

[DevGoran]

@kaaax0815

Is there currently a workaround to implement my custom IP rules, until you implement your planned changes?

An idea I have, if you're going to implement something in the UI, would be to give the users 2 options:

• Insert the whole iptable rules in a text field as I would do in the wg config
• Have something like an "Allow/Deny dropdown" to on " list (similar to how it may look in Opnsense. I guess important would be that we could move the entries up/down to change the sequence. Not sure how difficult that would be to implement but would be a neat feature.

[kaaax0815]

@DevGoran Have a look at https://github.com/wg-easy/wg-easy/blob/master/src%2Fconfig.js#L26

These are the rules that are run if you don't specify custom ones. You can extend them to your liking

[DevGoran]

@kaaax0815 haven't thought of adding my rules directly to the config.js file, thanks!

[kaaax0815]

@kaaax0815 haven't thought of adding my rules directly to the config.js file, thanks!

@DevGoran you also could do that but that wasn't my point.

You can copy them and add them before your custom rules to the env vars.

[DevGoran]

@kaaax0815 haven't thought of adding my rules directly to the config.js file, thanks!

@DevGoran you also could do that but that wasn't my point.

You can copy them and add them before your custom rules to the env vars.

I'm sure I actually tried that, but the iptable was empty within the container, hence the post. I will try it again later today.

[DevGoran]

      - WG_POST_UP=echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" > /etc/wireguard/post-up.txt
      - WG_PRE_DOWN=echo "iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" > /etc/wireguard/pre-down.txt

@kaaax0815 so for example if I add even one single rule as above, the iptable seems to be empty inside the container. I've also tried to add multiple rules by separating them with a ; but nothing seems to work:

/app # iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[kaaax0815]

@DevGoran this is expected as you are overwriting the default.

Look at https://github.com/wg-easy/wg-easy/issues/1394#issuecomment-2346013634

There you can see how to add custom rules.

[kaaax0815]

Closing this issue for now. Feel free to reopen