What's the purpose of the wg-quick firewall rules?
Alexandru Scvortov
wireguard at abstractbinary.org
Mon Jun 6 13:32:33 UTC 2022
Hi,
I'm trying to understand what the firewall rules that wg-quick adds do.
I see these rules being added:
```
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
iifname != "wg0" ip daddr 10.10.1.2 fib saddr type != local counter drop
iifname != "wg0" ip daddr 10.10.0.2 fib saddr type != local counter drop
}
}
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp mark 0xca6c counter ct mark set mark
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp counter meta mark set ct mark
}
}
```
The `raw` rules seem fine, but I can't figure out what the `mangle` rules are for. They're added in `add_default`, so they have something to do with the "route all traffic through Wireguard" functionality, but removing them doesn't seem to break anything on my laptop.
I think the first iteration of these were added in commit ebcf1ef8b1ad in wireguard-tools, but the commit message is "wg-quick: linux: filter bogus injected packets and don't disable rpfilter", and that doesn't make it any clearer to me.
What breaks if these rules aren't present?
Thank you.
Cheers,
Alex
More information about the WireGuard
mailing list