Answer the question
In order to leave comments, you need to log in
How to cut off a device from access to the internal network?
Hello. Need to raise a raspberry (Raspberry) server under some need at home.
How can you protect yourself and deny access to the internal network with Raspberry?
The server can be compromised, and in the future - all other network devices.
Thank you.
Answer the question
In order to leave comments, you need to log in
In addition to the Eugene Khrustalev variant : I
assume that raspberry is not sitting on the Internet with his bare bottom, but behind some kind of router.
In this case, it would be most reasonable to move it to the so-called demilitarized zone (DMZ):
1. Settle it in a separate Ethernet segment/VLAN
2. In this segment:
2.1. Use separate gray ip-addressing
2.2. Configure NAT: Destination NAT for incoming and Source NAT for outgoing connections from Raspberry
2.3. Deny any access to the router itself, allowing only traffic transit
3. Explicitly allow only allowed types of traffic on the router:
3.1. From internal network to DMZ
3.2. From DMZ to the internal network (not worth it, but suddenly for some reason it is very necessary)
3.3. From DMZ to Internet
3.4. From the Internet to the DMZ
Thus, even if the server is hacked, rooted and iptables disabled on the raspberry, the villain will not be able to get out of there anywhere, because the traffic is cut on a router that is conditionally invulnerable to him.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question