2

Let's say I have two device at home:

  • One is not connected to the ethernet as I don't want to be hackable.
  • The other is a classic computer with Internet access.

I'd like to get the status of the off-grid device without creating a breach. I got personal data that I'd like not to go on the Internet.

What I'd like to do is the following scheme:

+------------+            +------------+            +------------+            +------------+
|  Off-grid  |------X-----|  One-way   |------X-----|  Internet  |-----<------|    The     |
|   device   |------>-----|  Router    |------>-----|   Router   |----->------|  Internet  |
+------------+            +------------+            +------------+            +------------+
                                                     -----   |                              
                          +------------+     ---<---/   -----|                              
                          |   My PC    |----/ ---->----/                                    
                          |            |-----/                                              
                          +------------+

I've added a one-way router (basically a device with two Ethernet ports) that would:

  • Allow off-grid device to send Ethernet packets
  • Forbid eth packets to go to off-grid device
  • Forward Ethernet packets to the Internet router
  • Forbid packets to go from Internet router to One-way router
  • One-way router configuration will be made through a Serial connection

The iptables would look like that:

# Disable forwarding of packets between interfaces by default
echo 0 > /proc/sys/net/ipv4/ip_forward

# Drop all incoming packets on eth1
iptables -A INPUT -i eth1 -j DROP

# Drop all outgoing packets on eth0
iptables -A OUTPUT -o eth0 -j DROP

# Forward all packets from eth0 to eth1
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

My question is simple, would that work ? If yes, is there any way for a hacker to get access to the protected device ?

Manitoba
  • 179
  • 9
  • What model of one way router are you going to use? I have not seen what you want to do. I suspect if you get it connected, it can be hacked if you do not secure it properly. – John Apr 30 '23 at 11:31
  • "One is not connected to the ethernet" - so, what is the connection shown in your diagram? serial? wifi? something else? – Jaromanda X Apr 30 '23 at 11:33
  • @John I was thinking of a Rpi with two USB to ethernet devices. – Manitoba Apr 30 '23 at 12:13
  • @JaromandaX I meant, today, one of the device is not connected, and I'd like it to be just to get its status. – Manitoba Apr 30 '23 at 12:13
  • I have not seen such a thing work. Just secure your devices, especially the main router. 16 character, upper/lower case, numbers/letters, special characters takes thousands of years to brute force hack. – John Apr 30 '23 at 12:16
  • @Manitoba you keep saying it's not connected ... so how are you supposed to communicate with a device that is not connected? Your diagram shows some sort of connection, you say it's NOT ethernet, I'm asking what it is if it's not ethernet – Jaromanda X Apr 30 '23 at 12:37
  • Sorry, my message was not clear enough. What I'd like to do is to connect the device to the Internet but only in one way (TX only). My device will be pushing its status to a web server (local or remote, it does not matter). As I don't want the device to be hacked, I was wondering if the ethernet connection could be used in a single way (see my diagram). – Manitoba Apr 30 '23 at 12:44
  • I have never seen a single way Ethernet or Router. If you connect it, you are exposed. – John Apr 30 '23 at 13:16
  • Even if packets are dropped ? I don't understand how an hacker could reach the device that way. – Manitoba Apr 30 '23 at 13:30

0 Answers0