I have a number of self hosted services on my home server, running Arch Linux.
Context
A number of these are held in Docker containers (each with their own Docker compose file), though one (Jellyfin) is installed via pacman. Using Nginx Proxy Manager, I have set up proxy sites for each service (using the http scheme, the local IP, and the respective port for the service), and generated an SSL certificate for the site and its subdomains.
Issue
My problem comes in that I am using Mullvad VPN with Wireguard following the guide available here. Pertinent to this question is the section on the kill switch and local network sharing (available here). Implementing these two iptables rules for when Wireguard is up or down works well for ssh connections. The rule, to be clear, is as follows;
REJECT all -- 0.0.0.0/0 !192.168.0.0/24 mark match ! 0xca6c ADDRTYPE match dst-type !LOCAL reject-with icmp-port-unreachable This is as per the guide provided by Mullvad, linked above.
Though I can ssh to the server, when attempting to connect to the Docker services via my browser, I am met with a 502 error.
Conversely, flushing the OUTPUT chain rules (of which there is only one) allows the services to work. The same is true if I run wg-quick down wg-proxy.conf.
Question
What I am wondering is if, in the same way the iptables rule rejects all traffic but the LAN IPs, whether I can do the same for 'WAN' IPs.
Put another way, I would like to keep the iptables rules set by Wireguard above, but also allow my services to not generate a 502 error and only be accessible to addresses on my local network (ideally if an explanation could be given to any answers so that I could extend the rule to a future Tailscale set up, that would be much appreciated).
My apologies if I have formatted my question poorly here or omitted any information, as I am very new to this process.
Thank you for reading.
