TCP_OPEN restrict to certain interfaces about aif HOT 4 OPEN

The curly brackets are not correct

OPEN_TCP="{ens3,wg0}#22  ...

I would not use OPEN_TCP / OPEN_UDP for the wireguard interfaces, but rather NAT_FORWARD_TCP / NAT_FORWARD_UDP to reach the NAT_INTERNAL_NET from the external interface.

from aif.

Thank you. I tried NAT_FORWARD_TCP last weekend and yesterday, but somehow I am mentally stuck.

The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1

My problem: What is INTERNAL_NET in this case? I tried 127.0.0.1and I had the impression, that this net is special.
At least manual the tests with the wireguard client of my telephone did not succeed, but I might have messed up.

Is 127.0.0.1 a good choice?

Do I have to set:

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# ------------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0

If I want to allow access from the external interface wg0 to the port 22 of the internal net? What exactly is a local port? I have some services listening to all interfaces like ssh. It is listening on 0.0.0.0:22

from aif.

The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1

Given that info, try something like:

EXT_IF="eth0"
EXT_IF_DHCP_IP=1
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

(Optional) Only if Wireguard traffic needs to go outbound, outside of tunnel:

NAT=1
NAT_INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

Then to allow inbound Wireguard to wg0 (ex. port 51820)
Note: Adjust 0/0 to a more restrictive range if desired.

HOST_OPEN_UDP="0/0~51820"

This should allow you to use an external Wireguard peer to connect to your Wireguard instance and SSH over the tunnel.

Try little steps at a time.

from aif.

Hi,

I experimented a bit more and did not achieve the level of separation I want.

Basically ports are reachable on the internal_net, where I do not expect them.

If I scan from my laptop the internal address 10.0.1.1 interface wg1 of the server I see:

nmap -p 22-9000 10.0.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 21:42 CEST
Nmap scan report for 10.0.1.1
Host is up (0.029s latency).

PORT   STATE SERVICE
22/tcp open  ssh
8443/tcp open  https-alt
8444/tcp open  pcsync-http              
8446/tcp open  unknown                                                                
8447/tcp open  unknown       
8448/tcp open  unknown      
8449/tcp open  unknown

I have currently this configured wrt to wg1 and ssh:

OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449"
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

I did an iptables-save -f /tmp/xx of the iptables config and:

# rg 22 /tmp/xx
126:-A EXT_INPUT_CHAIN -i ens3 -p tcp -m tcp --dport 22 -j ACCEPT
127:-A EXT_INPUT_CHAIN -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
140:-A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN

I thought port 22 would be open on ens3 and wg0, but not on wg1.

from aif.