linux – iptables allow traffic through wireguard gateway

I have a server A running as gateway for some intranet connected on eth0. A is connected to multiple “relay nodes” like B, C, D… via WireGuard.

Assume here’s the IP setup:

Host Address

A routes some traffic through WG. Here’s a part of A’s routing table:

... via dev wg0 via dev wg0

I would like to allow all traffic routed through B (, while blocking traffic routed through C. With pseudo-code, this is what I’m thinking:

-A FORWARD -o wg0 --via -j ACCEPT
-A FORWARD -o wg0 --via -j DROP
#                 ^^^^^^^^^^^^^^

There are a lot of items in the routing table that I don’t want to repeat in iptables rules. Another problem is there’s no MAC (or L2 in general) inside WG.

Is there any way to make this work?