Rules to restrict multiple IPs

[mycanaletto]

Hello ! The goal is that ZT users tagged 700 only access servers 8, 18, 22, 24 that are accessible via a ZT bridge.

If I activate the rule A I get access to everything.

If I activate the rules B only access 192.168.200.18 and 192.168.200.22

Any help would be welcome, I have the impression that it is impossible to restrict more than 2 IP ... Or maybe there is another way to do it?

Merci beaucoup !

# Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.
drop
    not ethertype ipv4
    and not ethertype arp
    and not ethertype ipv6
;
#
# Uncomment to drop non-ZeroTier issued and managed IP addresses.
#
# This prevents IP spoofing but also blocks manual IP management at the OS level and
# bridging unless special rules to exempt certain hosts or traffic are added before
# this rule.
#
#
# Allow SSH, HTTP, and HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports
accept
  ipprotocol tcp
  and dport 22 or dport 80 or dport 443 or dport 137 or dport 138 or dport 139 or dport 445
;
#
# Create a tag for which department someone is in tag department
tag lan_dest
id 10
  enum 100 to_lan1
  enum 200 to_lan2
  enum 300 to_lan3
  enum 700 to_dev
#
#
# Rules OK
accept tseq lan_dest 100 and ipdest 192.168.200.0/24;
accept tseq lan_dest 200 and ipdest 192.168.210.0/24;
accept tseq lan_dest 300 and ipdest 192.168.216.0/24;

# Rule A
#accept tseq lan_dest 700 and ipdest 192.168.200.0/24;

# Rules B
accept tseq lan_dest 700 and ipdest 192.168.200.8/32;
accept tseq lan_dest 700 and ipdest 192.168.200.18/32;
accept tseq lan_dest 700 and ipdest 192.168.200.22/32;
accept tseq lan_dest 700 and ipdest 192.168.200.24/32;

#
#
# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break                     # break can be overridden by a capability
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;
#
break ipdest 192.168.200.0/24;
break ipdest 192.168.210.0/24;
break ipdest 192.168.216.0/24;
#
#drop not chr ipauth;
# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
  id 2000 accept;
#
# Accept anything else. This is required since default is 'drop'.
accept;

[mycanaletto]

up...

[laduke]

Hi, sorry you got no response. Did you find a solution?

[laduke]

Tried to reproduce to as simply as possible:

accept ipdest 10.147.20.3/32;
accept ipsrc 10.147.20.3/32;
accept ipdest 10.147.20.128/32;
accept ipsrc 10.147.20.128/32;
drop;

Does not work^ (ping from .128 to .3)

---

accept ztdest 1122334455; #.3
accept ztsrc 1122334455;
accept ztdest 2244668800; #.128
accept ztsrc 2244668800;
drop; 

Does work^ (ping from .128 to .3)

Parsed rules

```json "rules": [ { "ip": "10.147.20.3/32", "not": false, "or": false, "type": "MATCH_IPV4_DEST" }, { "type": "ACTION_ACCEPT" }, { "ip": "10.147.20.3/32", "not": false, "or": false, "type": "MATCH_IPV4_SOURCE" }, { "type": "ACTION_ACCEPT" }, { "ip": "10.147.20.128/32", "not": false, "or": false, "type": "MATCH_IPV4_DEST" }, { "type": "ACTION_ACCEPT" }, { "ip": "10.147.20.128/32", "not": false, "or": false, "type": "MATCH_IPV4_SOURCE" }, { "type": "ACTION_ACCEPT" }, { "type": "ACTION_DROP" } ] ```

[mycanaletto]

Thanks, I try this asp :-)

[mycanaletto]

What is 1122334455 or 2244668800 ?

[laduke]

ZeroTier node/member ID.

[mycanaletto]

Oups :-(

[mycanaletto]

I do not really see how to integrate that with my tag lan_des ...