Let me rephrase that, the ip forwarding is enabled via kernel parameters, but the forwarding rules are set via IPTables. Like I tell the wireguard interface to masquerade as the internal nebula interface instead of the default physical gateway of the device. You can get pretty granular, and just stack virtual interfaces.