ja, natürlich. Ohne Anspruch auf Perfektion…
root@nc:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp –dport 51820 -m conntrack –ctstate NEW -j ACCEPT
-A INPUT -s 10.200.200.0/24 -p tcp -m tcp –dport 53 -m conntrack –ctstate NEW -j ACCEPT
-A INPUT -s 10.200.200.0/24 -p udp -m udp –dport 53 -m conntrack –ctstate NEW -j ACCEPT
-A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -o wg0 -m conntrack –ctstate NEW -j ACCEPT
root@nc:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT udp – anywhere anywhere udp dpt:51820 ctstate NEW
ACCEPT tcp – 10.200.200.0/24 anywhere tcp dpt:domain ctstate NEW
ACCEPT udp – 10.200.200.0/24 anywhere udp dpt:domain ctstate NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@nc:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp – anywhere anywhere tcp dpt:smtp to:10.200.200.2:25
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:10.200.200.2:143
DNAT tcp – anywhere anywhere tcp dpt:submission to:10.200.200.2:587
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 10.200.200.0/24 anywhere
acme nutze ich aber anders (weil viele andere und auch interne Zertifikate). Vermutlich must Du dafür eine Regel auf Port 80 ergänzen.
Gruß Joachim