A fun iptables question (port forwarding bliss)

Hey there guys, long time user first time poster and I thought I would start with a fun one.

I have had a wireguard setup for the last few years with a vps and some servers that are connected to it. The vpn has some public ip addresses allocated to it and I’m just using iptables to redirect traffic to these servers on the wireguard network.

Now this is the only thing that I have left that I have not moved over to netbird and thought I would spin up a test and see if I can make this kind of setup work.

What I have done is spun up a clean vps ubuntu instance, spun up a local one and have connected them both to my netbird instance. I’ve setup a group and assigned them to it, allowed all traffic through it and setup the vps as a exit node.

I install nginx and add a iptable port route to this and bam, its working. Which is great! However I’m having a issue with masquerading.

I have my iptables setup to pass on the external ip address using the following with the vps external ip being x.x.x.x my vps netbird ip being y.y.y.y and my server being z.z.z.z

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -d x.x.x.x/32 -j DNAT --to-destination z.z.z.z:80
iptables -t nat -A POSTROUTING -s z.z.z.z -j SNAT --to x.x.x.x

This is how I have my wireguard setup and this passes through any external ip address to the servers behind it. However with netbird im seeing the vpn netbird ip. Heres a log example from nginx.

y.y.y.y - - [06/Aug/2025:02:28:57 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

I’m not sure what to do now, this looks like its still masquerading and checking the ip tables does show that, I’m just not too sure what to do. So i thought I would throw it into the void and see if anyone has an idea, I’ve done as much google-fu as i can with this and did find something kind of simular to this on github but the firewall rules didn’t seem to work.

Also before anyone tells me to just throw a reverse proxy and be done with it. The services that are behind the wireguard setup are not http so I do need the external ip’s to be passed through, this was just done as a easy way to test connectivity and to see if the correct ip address is seen.

Anyway hope someone out there might have an idea. If i figure anything out I’ll make sure to reply to this with it .

Think I have finally sorted this out for myself and thought I would share!

So on the vps I did the following command to see if there is any masquerading done by netbird.

iptables -t nat -L POSTROUTING --line-numbers

Turns out it does (which is great for everything but what i want to do) that you can see here

Chain POSTROUTING (policy ACCEPT 162 packets, 26059 bytes)
num pkts bytes target          prot opt in     out     source               destination
1   177  26967 NETBIRD-RT-NAT  all  --  any    any     anywhere             anywhere

So all I need to do is remove this entry with the following command

iptables -t nat -D POSTROUTING <number>

Since I am going to have multiple IP addresses on this vps I added the POSTROUTING from the above post.

On the local instance all I need to do is allow all network traffic to access the port. For this example it was port 80 tcp.

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Bam done network traffic is flowing through thanks to setting up the vps as a exit node previously and all is good.

I would like to add that these iptables will reset when the workstations are restarted and will need to be reapplied in whatever way you need to (need to see if the masquerade is reapplied or not automatically for example) but if anyone else if looking for a way to do this hopefully this helps.