Securing Networks in ZeroTier [ENG]

Securing Networks in ZeroTier [ENG]

Today I had the problem to restrict my ZeroTier network down to the device administering and the device providing.

What does that mean ?

I wanted to restrict my ZeroTier networks so potentially compromised devices do not get to connect to other devices, like network isolation rules. For instance I have a ZeroTier Network to connect to SMB Shares on my NAS, previously everyone connected could connect to all devices, this isn't helpful if grandmas notebook with potentially acting ransomware can connect to all other devices. (We ignore the fact of encrypting the NAS itself atm.)

To now lock down the zerotier connection to only allow connecting to the "device providing" and allow the "device administering" (me) connect to all systems regardless of the other rule.

You have to place the following rules above the default accept line.

# Accept anything else. This is required since default is 'drop'.
accept;
default accept line for reference
accept
  ipprotocol tcp # Allow TCP Protocol
	and ipdest 10.243.223.224/32 # NAS
    and ipsrc 10.243.223.xxx/32 # Admin
;
# Drop TCP SYN,!ACK packets (new connections) 
# not explicitly whitelisted above
break
  chr tcp_syn             # TCP SYN (TCP flags will never match non-TCP packets)
  and not chr tcp_ack     # AND not TCP ACK
;
rules to apply

Credit to: https://blog.reconinfosec.com/locking-down-zerotier/