unraid wireguard limit access block webui.sh

WIREGUARD_INTERFACE=wg1
WIREGUARD_LAN=10.253.2.0/24
MASQUERADE_INTERFACE=eth0

iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN


iptables -N WIREGUARD_INPUT
iptables -N WIREGUARD_DROP_WG0_INPUT
iptables -A INPUT -j WIREGUARD_INPUT

iptables -A WIREGUARD_INPUT -i $WIREGUARD_INTERFACE -j WIREGUARD_DROP_WG0_INPUT
iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.2.0/24 -j DROP
iptables -A WIREGUARD_DROP_WG0_INPUT -j RETURN 


# Add a WIREGUARD_wg0 chain to the FORWARD chain
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
iptables -N $CHAIN_NAME
iptables -I FORWARD -i $WIREGUARD_INTERFACE -j $CHAIN_NAME

# Accept related or established traffic
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept traffic from any Wireguard IP address connected to the Wireguard server
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -d 172.17.0.10 -p tcp -m tcp --dport 9117 -j ACCEPT
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -d 172.17.0.20 -p tcp -m tcp --dport 1433 -j ACCEPT
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -d 172.17.0.4 -p tcp -m tcp --dport 5432 -j ACCEPT

# Drop everything else coming through the Wireguard interface
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP

# Return to FORWARD chain
iptables -A $CHAIN_NAME -j RETURN