Iptables: how to allow forwarding from wireguard NIC only to some IP
Solution 1:
Sure you can, instead of arbitrarily allowing traffic, just make sure it goes to the destination IP you expect:
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i wg0 -d 192.168.1.45 -j ACCEPT
As a side note, I wouldn't add and remove rules in the PostUp
and PostDown
hooks, it isn't useful to remove them when the interface no longer exists as they don't do anything in that case. Just leave them there all the time, it's less error-prone and easier to manage.