Iptables or nftables configuration in sys-vpn

I want to prevent unwanted connections from being established via an existing VPN connection. I can already restrict this in the wireguard configuration file, but I don’t fully trust it. Therefore I would like to create nftable or iptables rules for a debian 12 sys-vpn. In /etc/hosts in the sys-vpn the traffic is redirected from the domain name of the VPN to its IPv6 address.

It must be possible to send icmp traffic to the VPN address and udp traffic to port 4865 of the VPN address. In addition, only a single IPv4 address should be accessible via the VPN, namely via ports 3300 and 8340, whereby data must be able to flow in both directions for ip telephony purposes. I don’t know which commands I can use to implement this. My attempt does not work:

sudo iptables -A OUTPUT -p udp -d XXX:XXX:XXX:XXX:XXX:XXX:XXX:XXX --dport 4865 -j ACCEPT
sudo iptables -A INPUT -p udp -s XXX:XXX:XXX:XXX:XXX:XXX:XXX:XXX --dport 4865 -j ACCEPT
sudo iptables -A INPUT -m iprange --src-range -j ACCEPT
sudo iptables -A OUTPUT -m iprange --dst-range -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP

Can’t you do this using Qubes OS firewall?

Or maybe I didn’t quite understand what exactly do you want.

When I edit the firewall of the sys-vpn via Qubes GUI, I can only restrict which VPNs the sys-vpn can connect to. But which domains are requested by the sys-vpn via VPN connection, I could only restrict that via nftables or iptables.

You can edit the Qubes firewall rules for qubes connected to the sys-vpn and restrict the connections from these qubes through sys-vpn there.
Or do you want to restrict the connections made by sys-vpn itself through VPN connection? THen you’ll need to add the custom nft rules in sys-vpn indeed.

Also do you have Qubes OS 4.1 or Qubes OS 4.2?

Yes, I want to restrict the connections made by sys-vpn itself through VPN connection. I am using Qubes 4.1.

How exactly it doesn’t work?
It’s not blocking the connections?
What are the complete rules?

sudo iptables -nvL

It may be better to add a firewall qube between the AppVM and the VPN qube, then you could filter what the inheriting qubes can reach through the NetVM.

That won’t block what the VPN qube itself can do through the VPN network, but is it a real issue for this one?