Firewalld Forwarding Functionality with Wireguard

Solution 1:

From your previous UFW question, sounds like you're using WireGuard for two purposes?: 1) forward traffic from a WireGuard client of your VPS out to the Internet, and 2) forward a few public ports from your VPS back to the WireGuard client. You need masquerading (aka SNAT) for 1) and port forwarding (aka DNAT) for 2).

The simplest way to set this up with firewalld is to bind your VPS's public Ethernet interface (eth0 in your case) to firewalld's predefined external zone, and your VPS's WireGuard interface (wg0 in your case) to firewalld's predefined internal zone. The external zone comes preconfigured with masquerading enabled; and both zones also come preconfigured to accept SSH and a few other services.

First open your VPS's WireGuard listen port (49503 in your case) on the external zone:

$ sudo firewall-cmd --zone=external --add-port=49503/udp

And forward port TCP 56000 on the external zone to the same port on 10.66.66.2:

$ sudo firewall-cmd --zone=external --add-forward-port='port=56000:proto=tcp:toaddr=10.66.66.2'

Then bind eth0 to the external zone (which applies firewalld's configuration for the external zone to all eth0 connections):

$ sudo firewall-cmd --zone=external --add-interface=eth0

And bind wg0 to the internal zone:

$ sudo firewall-cmd --zone=internal --add-interface=wg0

Check your active zones:

$ sudo firewall-cmd --get-active-zones
external
  interfaces: eth0
internal
  interfaces: wg0

And check the configuration of your external zone:

$ sudo firewall-cmd --info-zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh
  ports: 49503/udp
  protocols:
  masquerade: yes
  forward-ports: port=56000:proto=tcp:toaddr=10.66.66.2
  source-ports:
  icmp-blocks:
  rich rules:

If everything's working correctly, save your current firewalld settings:

$ sudo firewall-cmd --runtime-to-permanent