将 Wireguard 客户端的访问限制在少数服务器

我有一个 wireguard 服务器，用于控制对 AWS 中服务器网络的访问。通过 wireguard 连接的客户端的地址为 10.11.0.{2-5}。我有 4 个客户端可以完全访问 LAN - LAN 位于 10.1.255.255。一切正常。

现在我想添加一个只能访问少数服务器的客户端。

因此我在 wg0.conf 中添加了一些 PostUp 命令，并使用 iptables 将此客户端限制到这些服务器。

[请注意，我更喜欢使用 PostUp 命令而不是单独的 postup.sh 文件，因为它将自定义内容保存在一个地方。]

以下是 iptables 命令。客户端 10.11.0.{2,3,4,5} 应该能够访问所有内容。客户端 10.11.0.6 应该只能访问三个特定的 IP 地址。实际情况是，客户端 .6 仍然可以访问所有内容。

PostUp = iptables -t nat -I POSTROUTING -o eth0  -j MASQUERADE -s 10.11.0.0/16

# Add a WIREGUARD_wg0 chain
PostUp = iptables -N WIREGUARD_wg0
PostUp = iptables -A FORWARD -j WIREGUARD_wg0

# Accept traffic from valid Wireguard client IP addresses
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.2,10.11.0.3,10.11.0.4,10.11.0.5 -i %i -j ACCEPT
# This client can only access these servers.
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -d    10.1.1.101,10.1.1.151,10.1.0.101 -j ACCEPT
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -j DROP

# Drop everything else coming through the Wireguard interface
PostUp = iptables -A WIREGUARD_wg0 -i %i -j DROP

# Return to FORWARD chain
PostUp = iptables -A WIREGUARD_wg0 -j RETURN

PostDown = iptables -t nat -D POSTROUTING -o eth0  -j MASQUERADE -s 10.11.0.0/16

# Flush and delete the WIREGUARD_wg0 chain
PostDown = iptables -D FORWARD -j WIREGUARD_wg0
PostDown = iptables -F WIREGUARD_wg0
PostDown = iptables -X WIREGUARD_wg0

以下是之后的状态wg-quick down wg0：

/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep  3 21:06:20 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep  3 21:06:20 2022
# Generated by iptables-save v1.8.4 on Sat Sep  3 21:06:20 2022
*filter
:INPUT ACCEPT [33:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:4668]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sat Sep  3 21:06:20 2022

然后wg-quick up wg0：

/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep  3 21:07:01 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep  3 21:07:01 2022
# Generated by iptables-save v1.8.4 on Sat Sep  3 21:07:01 2022
*filter
:INPUT ACCEPT [15:1036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:2920]
:WIREGUARD_wg0 - [0:0]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
[0:0] -A FORWARD -j WIREGUARD_wg0
[0:0] -A WIREGUARD_wg0 -s 10.11.0.2/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.3/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.4/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.5/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.151/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.0.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -j RETURN
COMMIT
# Completed on Sat Sep  3 21:07:01 2022

有人能指出我遗漏了什么吗？非常感谢。保罗。