Port forwarding with wireguard

Since you're using UFW, first make sure the UFW rule for port 56000 that you added is not a regular input rule, but instead a "route" (aka forwarding) rule, like this (assuming it's for a TCP port; replace tcp with udp for UDP):

ufw route allow proto tcp to 10.66.66.2 port 56000

Then you need an iptables rule like this for each port you want to forward (where eth0 is the name of your WAN interface):

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2

If you have a bunch of individual ports you want to forward, you can put them all (up to 15 ports) in the same rule using the --dports flag (note the s) of the multiport module:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 123,456,789 -j DNAT --to-destination 10.66.66.2

And since you're using UFW, you probably want to put your PREROUTING rules in the *nat block of your /etc/ufw/before.rules config file, like this (assuming you probably already have something similar to the POSTROUTING rule there):

# /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

If you don't already have a *nat block in your /etc/ufw/before.rules file, add it at the end of the file. Restart UFW after you make the changes.

Port forwarding with wireguard

Related

Recent Posts