https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/
example ranges to be excluded: 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 240.0.0.0/3
OpenBSD version. use with pfctl -ef FILENAME. you may wish to block all connection without port < 1023 rule.
table <ip_range> { 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/3, 96.0.0.0/6, 100.0.0.0/10, 100.128.0.0/9, 101.0.0.0/8, 102.0.0.0/7, 104.0.0.0/5, 112.0.0.0/5, 120.0.0.0/6, 124.0.0.0/7, 126.0.0.0/8, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/8, 169.0.0.0/9, 169.128.0.0/10, 169.192.0.0/11, 169.224.0.0/12, 169.240.0.0/13, 169.248.0.0/14, 169.252.0.0/15, 169.255.0.0/16, 170.0.0.0/7, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4 }
block return out quick proto tcp to <ip_range> port < 1023 no state
Windows PowerShell version (remove -Enabled False first)
$ips = @("255.255.255.253", "255.255.255.254")
New-NetFirewallRule -DisplayName "BlockoutPublicIPv4" -Enabled False -Profile Any –RemoteAddress $ips -Direction Outbound -Protocol TCP -Action Block
Linux version (unreachable can be replaced with blackhole. remove echo first)
for ip in 255.255.255.253/32 255.255.255.254/32; do
echo ip route add unreachable $ip
# optional: table 8888; then use ip rule add uidrange 0-0 table 8888 priority 32000
done
ufw users: ufw deny out on INTERFACE to TARGET.
