I would like to group my hosts within a network and then restrict access to individual services. To do this, I followed the following instructions:
Unfortunately the hosts do not reach each other unless I set the capability superuser.
What am I doing wrong? Is there any way to debug this error and if so, how?
Here is my current configuration:
tag groups id 1000 flag 1 group1 flag 2 group2 flag 3 group3 enum 2147483647 all ; tag services id 1001 flag 1 http_https flag 2 ssh flag 3 dns flag 4 smb enum 2147483647 all ; # Whitelist only IPv4, IPv6, ARP traffic and allow only ZeroTier-assigned IP addresses drop # drop cannot be overridden by capabilities not ethertype ipv4 # frame is not ipv4 and not ethertype arp # AND is not ARP and not ethertype ipv6 # AND is not ipv6 or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!) ; # Allow communications only when hosts share at least one group break tand groups 0 ; # Allow http/https when hosts share flag http_https in tag services #accept # ipprotocol tcp # dport 80 or dport 443 #; # Allow ssh when hosts share flag ssh in tag services #accept # ipprotocol tcp # and dport 22 #; # Allow dns when hosts share flag dns in tag services #accept # ipprotocol udp # and dport 53 #; # Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above #break # break can be overridden by a capability # chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets) # and not chr tcp_ack # AND not TCP ACK #; # Create a capability called "superuser" that lets its holders override all but the initial "drop" cap superuser id 1000 accept; # allow with no match conditions means allow anything and everything ; # Accept other packets accept;
Next, I would like to add a second tag “Services” and create a rule that only allows connections between hosts that are in the same group and share the same service.
Maybe someone has already implemented this and wants to share their configuration here. I would be very happy about it.