Hoppy Docs

Appearance

Conntrack Firewall

If you are using the WireGuard interface for development work, then you can set up a default deny firewall for the interface. This will only allow incoming replies if associated with an outgoing connection. Add the following lines to the configuration file, between the PostUp and PreDown added in the previous section:

ini
PostUp = iptables -A INPUT -i %i -j DROP
PostUp = iptables -A OUTPUT -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PreDown = iptables -D INPUT -i %i -j DROP
PreDown = iptables -D OUTPUT -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Then, to allow specific ports through the firewall, run the following commands, making sure to replace the interface name and port:

ini
# For TCP
iptables -I INPUT 1 -i <interface_name> -p tcp --dport <port> -j ACCEPT
# For UDP
iptables -I INPUT 1 -i <interface_name> -p udp --dport <port> -j ACCEPT

Example for allowing SSH on interface wg1:

ini
iptables -I INPUT 1 -i wg1 -p tcp --dport 22 -j ACCEPT

Note: These firewall port exceptions will persist until you reboot the computer. To automatically unblock these ports when starting the WireGuard interface, add the corresponding PostUp and PreDown commands to your configuration file.

© Hoppy Network 2026. All rights reserved.