From 3a8cd99ef1ad0ddd958e93a575d363558039848b Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed, 2 Jul 2025 18:48:39 +0000
Subject: [PATCH] wireguard: Block unauthorized traffic

commit 89b976e9a7e4da13b82de4aadadb63ffaf3031a6
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Thu Apr 25 20:32:57 2024 +0200

    wireguard: Block unauthorized traffic

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 src/initscripts/system/firewall | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 424852a01..2a8877d20 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -216,6 +216,11 @@ iptables_init() {
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
 	iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
 
+	# Block unauthorized WireGuard traffic
+	ipatbles -N WGBLOCK
+	iptables -A INPUT   -i wg+ -j WGBLOCK
+	iptables -A FORWARD -i wg+ -j WGBLOCK
+
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
 	iptables -A INPUT   -i tun+ -j OVPNBLOCK