linux – iptables allow traffic through wireguard gateway

I have a server A running as gateway for some intranet connected on eth0. A is connected to multiple “relay nodes” like B, C, D… via WireGuard.

Assume here’s the IP setup:

Host Address
A 10.0.0.1/24
B 10.0.0.2/24
C 10.0.0.3/24

A routes some traffic through WG. Here’s a part of A’s routing table:

...
172.16.0.0/16 via 10.0.0.2 dev wg0
172.17.0.0/16 via 10.0.0.3 dev wg0
...

I would like to allow all traffic routed through B (10.0.0.2), while blocking traffic routed through C. With pseudo-code, this is what I’m thinking:

-A FORWARD -o wg0 --via 10.0.0.2 -j ACCEPT
-A FORWARD -o wg0 --via 10.0.0.3 -j DROP
#                 ^^^^^^^^^^^^^^

There are a lot of items in the routing table that I don’t want to repeat in iptables rules. Another problem is there’s no MAC (or L2 in general) inside WG.

Is there any way to make this work?