To create your own set of Netfilters you can save your rules in:
/storage/.config/iptables/rules.v4 for ipv4
/storage/.config/iptables/rules.v6 for ipv6
To modify tables, edit with nano then save with:
However, what would these iptables be?
Something like: iptables -A INPUT -s 192.168.0.45/32 -j ACCEPT #firstgooglehit
As you can see it sets INPUT to accept so your “mask command” works. But you have Docker and it sets forward and also nat rules otherwise those dockers would not be accessible.
With vpn or wireguard it’s the same you need to set nat and forwarding otherwise it will not work.
OpenVPN does that automatically but wireguard is very raw. Debian or Ubuntu have helper scripts like wg-quick for that.
Maybe the little manual to turn CoreELEC into a zerotier gateway can help you, the full article is here.
It tries to include the following command lines in CoreELEC (I do this in /storage/.config/autostart.sh)
echo 1 > /proc/sys/net/ipv4/ip_forward
(this is required, default ip_forward in CoreELEC is 0)
iptables -A FORWARD -i ztc3quell2 -o eth0 -j ACCEPT
(everything coming from the zerotier interface to eth0 domain IPs are accepted)
iptables -A FORWARD -i eth0 -o ztc3quell2 -m state --state ESTABLISHED,RELATED -j ACCEPT
(no one with an IP in the eth0 domain can initiate a conversation destined for zerotier but can converse with previously established communications from zerotier)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
(mask everything that comes out of eth0)
route add -net 192.168.8.0 netmask 255.255.255.0 gw 10.10.10.12
(allows to find a remote IP in another domain 192.168.8.0/24 whose gateway is other remote zerotier device with IP 10.10.10.12)
I did something like this as a project for my Raspberry Pi 4 with Pihole, Unbound and Wireguard (as a client for a Wireguard server on my VPS) installed on a gateway interface. The said gateway should be on a different subnet than the one you are using to connect the device to the internet. It involves using dnsmasq, hostapd and dhcpcd. The only iptables rule that you have to add is the one that accepts input traffic from the gateway interface (wg0) then outputs to the internet (etho). Then lastly, ip forwarding via net.ipv4.ip_forward=1.
The overview is, you host an AP (hostapd) on a wireless interface (wlan0) with a specific static IP/subnet (dhcpcd). Clients connect to it and are given DHCP addresses from that subnet (dnsmasq). Then the traffic is forwarded from that interface to the internet (e.g. eth0 or another wlan).
I have no idea how to do these on CoreELEC because I’m new to it (just installed it yesterday) but I’m giving you one on how you might.