CSF/LFD with Wireguard PostUp/PreDown commands

CanadaGuy · Post by **CanadaGuy** » 28 Oct 2021, 14:51

Hi, I have some servers acting as Wireguard endpoints that need to accept traffic from certain ports and forward them to another host on a LAN at the other end of the Wireguard tunnel. Incoming data on the ports are accepted and forwarded to the appropriate host. Outgoing data is masqueraded. The TCPMSS clamp is required to ensure the forwarded packets respect the tunnel MTU. In this case as you can probably figure out from the ports, I have a DNS server on the other end of this Wireguard tunnel.

a) Can I implement these PostUp/PreDown commands as is, or will that mess with the CSF configuration?

b) if not a), can I implement these "natively" within the CSF framework statically and I just won't worry about PostUp/PreDown

Code: Select all

PostUp = ufw route allow in on wg0 out on ens192
PostUp = ufw route allow proto tcp to 192.168.100.9 port 53
PostUp = ufw route allow proto udp to 192.168.100.9 port 53

PostUp = iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostUp = iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
PostUp = iptables -t nat -I PREROUTING -i ens192 -p tcp -m multiport --dport 53 -j DNAT --to-destination 192.168.100.9
PostUp = iptables -t nat -I PREROUTING -i ens192 -p udp -m multiport --dport 53 -j DNAT --to-destination 192.168.100.9

If there are issues in doing this, I can run CSF/LFD on the LAN hosts directly, but I figured it would be a nice touch to block the traffic before it needs to cross the tunnel instead of after.