Setting ACL rules on Exit Nodes

Hi!

I have two exit nodes, machine “A” tagged with “tag:internet”, and machine “B” tagged with “tag:internet-wl”. I want some users can only connect to exit node “A” and some users can only connect to exit node “B”. I tried everything, but couldn’t manage it to work. Could you please help?

Here is my ACL:

{
    "groups": {
      "group:backend": ["aaa@example.com"],
      "group:admin": ["bbb@example.com"],
    },
    "tagOwners": {
      "tag:internet-wl": ["group:admin"],
      "tag:internet": ["group:admin"],
    },
    "acls": [
      {
        "action": "accept", 
        "users": ["group:backend"], 
        "ports": ["tag:internet:*"],
      },
      {
        "action": "accept", 
        "users": ["tag:internet"], 
        "ports": ["*:*"],
      },
    ]
  }

Unfortunately there is not currently a way to declare that a node can access a subnet only through a particular relay. You can grant access by destination subnet, but not by which node provides that access. Sorry!

Thanks for the answer.

So for now, no way to put ACL on exit nodes (internet)?

Well, not quite. You can use ACLs to define whether someone can use exit nodes on your network at all. But you can’t currently use ACLs to define which exit nodes are allowed.

The same is true with subnet routers generally (you can grant access to a subnet or not, but if you grant subnet access to a person, you can’t specifically control which subnet relay a person can use to reach that subnet).

Hi @apenwarr, thanks for the answer again.

Could you please give an example to this?

You can use ACLs to define whether someone can use exit nodes on your network at all.

Something like this.

{
“action”: “accept”,
“users”: [ “group:eng” ],
“ports”: [ “autogroup:internet:*”, “192.168.0.0/24:22” ],
}

autogroup:internet is the magic incantation that grants access for a person or group to use exit nodes. “192.168.0.0/24” is an example of granting access for a user or group to access a subnet.

When you do this, you grant access for that user or group to use all your exit nodes, not any particular one.

2 Likes