Diky za tipy, tady jsou vysledky...
telnet 10.9.0.33 8007 z wg site na RPi4 ukaze
# tcpdump -n -i wg0 port not 22
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:16:48.015476 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656499737 ecr 0,nop,wscale 9], length 0
09:16:49.052739 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656500775 ecr 0,nop,wscale 9], length 0
09:16:50.076939 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656501799 ecr 0,nop,wscale 9], length 0
09:16:51.100906 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656502823 ecr 0,nop,wscale 9], length 0
09:16:52.124965 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656503847 ecr 0,nop,wscale 9], length 0
09:16:53.148508 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656504871 ecr 0,nop,wscale 9], length 0
09:16:55.197662 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656506920 ecr 0,nop,wscale 9], length 0
09:16:59.232050 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656510951 ecr 0,nop,wscale 9], length 0
09:17:07.293972 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656519016 ecr 0,nop,wscale 9], length 0
09:17:23.676975 IP 10.9.0.1.46968 > 10.9.0.33.8007: Flags [S], seq 1552326368, win 33120, options [mss 1380,sackOK,TS val 3656535399 ecr 0,nop,wscale 9], length 0
# iptables -v -L
Chain INPUT (policy ACCEPT 18207 packets, 19M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 22 packets, 1224 bytes)
pkts bytes target prot opt in out source destination
715 370K DOCKER-USER all -- any any anywhere anywhere
715 370K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
342 263K ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
5 260 DOCKER all -- any docker0 anywhere anywhere
346 106K ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 13987 packets, 1706K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
5 260 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:8036
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
346 106K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
715 370K RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
346 106K RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
715 370K RETURN all -- any any anywhere anywhere
vypada, ze FORWARD ma drop, ale jak mu nastavit pravidlo pro muj pripad netusim
# iptables -v -t nat -L
Chain PREROUTING (policy ACCEPT 33 packets, 10833 bytes)
pkts bytes target prot opt in out source destination
110 22768 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
22 1224 DNAT tcp -- wg0 any anywhere anywhere tcp dpt:8007 to:192.168.34.7:80
Chain INPUT (policy ACCEPT 31 packets, 10443 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 142 packets, 26198 bytes)
pkts bytes target prot opt in out source destination
129 43730 DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 132 packets, 21388 bytes)
pkts bytes target prot opt in out source destination
67 22088 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:8036
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
5 260 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:8036 to:172.17.0.2:8036