multi-port with iptables

[xyz-nobody]

I usually run my wireguard on port 443. Recently I was traveling and I came across a network that was doing something weird on port 443 and I could not connect to port 443 with wireguard.

I opened other ports to connect:

iptables -A INPUT -p udp -m multiport --dports 80,554,51820,443 -j ACCEPT

iptables -t nat -A PREROUTING -p udp -m multiport --dports 80,554,51820 -j REDIRECT --to-ports 443

It would be cool if the bash script could allow us to choose a default port that we want to open:

Default port ex : 443 Alternative port : 80, 554, 51820

and configure it with iptables. This way we don't have to have several instances of wireguard on different ports.

[jaminmc]

I believe that only iptables -t nat -A PREROUTING -p udp -m multiport --dports 80,554,51820 -j REDIRECT --to-ports 443 is needed, as it is done pre-routing, so you don't need to open those ports first, as it redirects them to your port 443.

No need for a bash script.. just put it in the PostUp/PostDown section of your WireGuard config file.

Here is my multiport iptables in my wg0.conf file:

PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234
PostUp = ip6tables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234
PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234
PostDown = ip6tables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 10:66,69:1233,1235:8000 -j REDIRECT --to-ports 1234

That is for port 1234 receive... With that, Wireguard will recieve port 10 - 8000, except 67 and 68.

Note: if your server gets an IP from DHCP server, don't forward the 67&68. I also skipped the target port.. It may still work it is in the range, but it is less for it to compute.