The official Tailscale subreddit. Not routinely monitored by Tailscale employees. Please contact support via https://tailscale.com/contact/support if you need further help.
Can I use acls or grants to allow all machines to talk to each other, *except* lock down one machine to prevent outgoing requests from that machine?
Help Needed
I have a public-facing cloud server, and I want to collect prometheus metrics from it. I'm thinking I can put it in my tailnet and lock it down to only allow incoming connections from the tailnet to one port. That way if it's compromised, attackers can't get into the rest of my tailnet. The problem is I don't see how to use acls to say everyone can talk, except this one machine. The docs don't say whether acl rules are evaluated in order, for instance. Any ideas?
Sort by:
Best
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
ACLs only grant access, they cannot deny access, so ordering is irrelevant. Any access not granted by the ACL is denied by default.
So you’d construct your ACL to let your other hosts talk to the target one, but omit rules for the target host so that the default-deny doesn’t let it talk out. Giving the target host a unique tag will help with this task.
Thanks. So I would have to remove the standard everything-talks-to-everything section from the ACL list (below), and replace it with a list of all machines, or tag all machines except the server or something like that?
"acls": [ // Allow all connections. {"action": "accept", "src": ["*"], "dst": ["*:*"]}, ],replace with:
"acls": [ // Allow incoming connections to cloud-server {"action": "accept", "src": ["*"], "dst": ["tag:cloud-server:9100"]}, // Allow connections between all other machines {"action": "accept", "src": ["tag:internal"], "dst": ["tag:internal:*"]}, ],I was hoping to avoid having to individually tag everything (and remember to do that going forward) just to exclude this one machine. It would be great if there were a syntax to say "not tagged".
I presume tags are the way to go here; if the machine is compromised, it can't add a tag to itself, right? That has to be done in the admin interface? I'm the only user on this tailnet and I'm admin.
I do something similar with offsite exit nodes sitting on family & friend networks on my tailnet that only includes the wife and I. I have three tags: infra, personal, and offsite
Offsite nodes never are able to establish connections (except for tailscale ping and status) for debugging purposes, but otherwise can't reach anything elsewhere.
Here's my sample grant syntax:
"grants": [ //The family can access the home subnet that we're advertising { "src": ["group:family"], "dst": ["home-network"], "ip": ["*"], }, //only specific people or machines can access offsite nodes via SSH { "src": ["group:it", "tag:infra"], "dst": ["tag:offsite"], "ip": ["22"], }, //tagged personal devices residing at home can only use offsite exit nodes { "src": ["tag:personal"], "dst": ["autogroup:internet"], "via": ["tag:offsite"], "ip": ["*"], }, //There are no restrictions on exit node use for the family and those we share them with { "src": ["autogroup:shared", "group:family"], "dst": ["autogroup:internet"], "ip": ["*"], }, ],Note that tag:offsite is never a part of src so can't originate content to the tailnet
Quick question and apologies for formatting since I’m on Reddit mobile website. How do you define “home-network”? I just have it as
{ "action": "accept", "src": ["autogroup:admin"], "dst": ["192.168.1.0/24:*"], },
for my subnet router. It would be more intuitive for me to create that elsewhere and use it in the ACL