I have a Linux machine that uses Hostapd to serve a WiFi hotspot. I also have a Raspberry Pi that connects to this WiFi hotspot as a DHCP Client. The Linux machine has a Cellular interface and shares this internet connection with the Raspberry Pi, using ipv4 forwarding in the Kernel. Furthermore, the machine has a Wireguard interface named 'wg0'. I can SSH into the Raspberry Pi from the Linux Machine and successfully ping 10.10.10.1, and the ip address of the cellular interface. I can also ping the Wireguard interface at 10.10.0.3.
What I want is to block the ability of the Raspberry Pi to ping the Wireguard interface at 10.10.0.3. I would like the Raspberry Pi to be unaware of the wg0 inteface's existence.
I thought I could block all traffic inbound to wg0 from the 10.10.10.0/24 subnet with the following iptables rule:
iptables -I INPUT 1 -i wg0 -s 10.10.10.0/24 -j DROP
However, the Pi can still ping 10.10.0.3. How can I make the wg0 interface invisible to connected clients on the wan0 hotspot?