roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: replace WireGuard catch-all ACCEPT with DROP

Browse Source 
The PostUp rule appended `iptables -A FORWARD -i wg0 -j ACCEPT` which
allowed any WireGuard-connected client full internet access regardless of
per-peer rules, even when no peers were configured in wg0.conf.

Fix: change PostUp/PostDown to use DROP as the catch-all. Per-peer and
per-cell rules use -I (insert at top) so they take precedence; unknown
or unconfigured WG traffic hits the DROP at the bottom.

Also add reconcile_stale_peer_rules() called on startup to remove FORWARD
rules for peer IPs that no longer exist in the registry, preventing deleted
peers from retaining firewall access across container restarts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-05-02 00:31:55 -04:00
parent 2b93c8aec5
commit 68c27b4521
6 changed files with 133 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/wireguard_manager.py
+2 -2
View File
@@ -134,11 +134,11 @@ class WireGuardManager(BaseServiceManager):
f'PrivateKey = {keys["private_key"]}\n'
f'Address = {address}\n'
f'ListenPort = {cfg_port}\n'
f'PostUp = iptables -A FORWARD -i %i -j ACCEPT; '
f'PostUp = iptables -A FORWARD -i %i -j DROP; '
f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; '
f'{hairpin}'
f'sysctl -q net.ipv4.conf.all.rp_filter=0 || true\n'
f'PostDown = iptables -D FORWARD -i %i -j ACCEPT; '
f'PostDown = iptables -D FORWARD -i %i -j DROP; '
f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; '
f'{hairpin_down}'
f'sysctl -q net.ipv4.conf.all.rp_filter=1 || true\n'