Iptables Rules for selfhosting

[nico2511]

Hello,

Would like an advise for iptables rules used for ireguard ocnfiguration and selfhosting.

According to chatgpt my local network is not safe with the default rules applied for wireguard

On the logs can see this
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;

Chatgtp recommande to add thoses rules to be more secure.

Block traffic > local network
iptables -A FORWARD -i wg0 -o eth0 -j DROP

Accept traffic > outside

iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  # Autoriser le trafic de retour (Internet)
iptables -A FORWARD -i wg0 -o eth0 -p tcp --dport 80 -j ACCEPT  # Autoriser le trafic HTTP
iptables -A FORWARD -i wg0 -o eth0 -p tcp --dport 443 -j ACCEPT  # Autoriser le trafic HTTPS
iptables -A FORWARD -i wg0 -o eth0 -j DROP  # Bloquer tout autre trafic

ip6tables -A FORWARD -i wg0 -o eth0 -j DROP  # Bloquer le trafic IPv6 vers le réseau local

My question by a noob on networking, is the local network is secure with the default rules applied

Regards.