Let's say I have two device at home:
- One is not connected to the ethernet as I don't want to be hackable.
- The other is a classic computer with Internet access.
I'd like to get the status of the off-grid device without creating a breach. I got personal data that I'd like not to go on the Internet.
What I'd like to do is the following scheme:
+------------+ +------------+ +------------+ +------------+
| Off-grid |------X-----| One-way |------X-----| Internet |-----<------| The |
| device |------>-----| Router |------>-----| Router |----->------| Internet |
+------------+ +------------+ +------------+ +------------+
----- |
+------------+ ---<---/ -----|
| My PC |----/ ---->----/
| |-----/
+------------+
I've added a one-way router (basically a device with two Ethernet ports) that would:
- Allow off-grid device to send Ethernet packets
- Forbid eth packets to go to off-grid device
- Forward Ethernet packets to the Internet router
- Forbid packets to go from Internet router to One-way router
- One-way router configuration will be made through a Serial connection
The iptables would look like that:
# Disable forwarding of packets between interfaces by default
echo 0 > /proc/sys/net/ipv4/ip_forward
Drop all incoming packets on eth1
iptables -A INPUT -i eth1 -j DROP
Drop all outgoing packets on eth0
iptables -A OUTPUT -o eth0 -j DROP
Forward all packets from eth0 to eth1
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
My question is simple, would that work ? If yes, is there any way for a hacker to get access to the protected device ?
