Technically the nat PREROUTING rule should go into nat-start and the FORWARD filter rule should go into firewall-start.
Some day when I have the time and energy I'll write something that would automate custom wireguard firewall rules... I'll have a post here somewhere I'll need to find. I'll post it here when I find it.
Edit: here it is:
https://www.snbforums.com/threads/w...t-rules-after-router-reboot.87768/post-878099 But it's "not official" as pointed out, but it works... for now... altough example is only for nat rules.
It would be nice to do the same as fw does it but with custom files instead, possibly in /tmp/ ram so it would fw future proof...
Perhaps more convenient for you to just use firewall-start and nat-start to put your rules in and delete any duplicate rules before to prevent duplicates.
Like:
firewall-start:
Code:
#!/bin/sh
iptables -D FORWARD -i wgc1 -p tcp -d 192.168.1.100 --dport 8080 -m state --state NEW -j ACCEPT 2>/dev/null
iptables -I FORWARD -i wgc1 -p tcp -d 192.168.1.100 --dport 8080 -m state --state NEW -j ACCEPT
nat-start:
Code:
#!/bin/sh
iptables -t nat -D PREROUTING -i wgc1 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:8080 2>/dev/null
iptables -t nat -I PREROUTING -i wgc1 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:8080
duplicate the rules and change to
-p udp
instead of
-p tcp
if you need udp packets to be forwarded as well.