Skip to content

Instantly share code, notes, and snippets.

@krisek
Created December 20, 2022 07:13
Show Gist options
  • Save krisek/447efef5baa3fe3d993504de0548b561 to your computer and use it in GitHub Desktop.
Save krisek/447efef5baa3fe3d993504de0548b561 to your computer and use it in GitHub Desktop.
ZeroTier basic Hub and Spoke
# Create a tag for which department someone is in
tag department
id 1000 # arbitrary, but must be unique
enum 100 spoke # has no meaning to filter, but used in UI to offer a selection
enum 200 hub
;
# Whitelist only IPv4 (/ARP) and IPv6 traffic and allow only ZeroTier-assigned IP addresses
drop # drop cannot be overridden by capabilities
not ethertype ipv4 # frame is not ipv4
and not ethertype arp # AND is not ARP
and not ethertype ipv6 # AND is not ipv6
or not chr ipauth # OR IP addresses are not authenticated (1.2.0+ only!)
;
# Drop communications between spokes
drop
tseq department 100
and treq department 100
and not ethertype arp
;
# Allow SSH, HTTPS by allowing all TCP packets (including SYN/!ACK) to these ports from spokes
accept
ipprotocol tcp
and dport 48022 or dport 443
and tseq department 100
;
# Drop TCP SYN,!ACK packets (new connections) not explicitly whitelisted above
break # break can be overridden by a capability
chr tcp_syn # TCP SYN (TCP flags will never match non-TCP packets)
and not chr tcp_ack # AND not TCP ACK
;
# Create a capability called "superuser" that lets its holders override all but the initial "drop"
cap superuser
id 1000 # arbitrary, but must be unique
accept; # allow with no match conditions means allow anything and everything
;
# Accept other packets
accept;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment