You don’t really need forwarding as you don’t need NAT here.

A part of the filtering can be done by wireguard by setting the allowed IPs correctly.

Just check if only one service is listening on the server port you’ll allow.

Now a question: all without tls right? ;)