Change the firewall manually to make your Synology more safe!

The default firewall in the Control Panel is so poor because the worse design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you have not the IPv6 network environment, you can ignore the ip6tables part.

Warning: If you dont not have the enough IT experience, you should run the following sections carefully. Maybe you will lost you connection to your Synology and hard to connect it again.

I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:

After run the iptables-restore and iptables -L, you can see the following result:

The IPv6 firewall part is similar to IPv4 firewall:

I also wrote two scripts to make firewall can load IPv4 and IPv6 rules or reset the firewall to default:

Here are the files (also the file ‘ipv4-default’ and ‘ipv6-default’ below) which can restore the firewall to default:

Finally you can make a schedule task to run two scripts above in the Control Panel such as each one minute to run them, that can make sure the firewall is always loading the whitelist rules which you wrote.

Article References:

iptables – Debian Wiki
IptablesHowTo – Ubuntu Wiki
HowTos/Network/IPTables – CentOS Wiki

6 thoughts on “Change the firewall manually to make your Synology more safe!”

  1. By the way you tutorial is not good anymore because they have based their firewall on the principle that every single rule you authorize, is on target RETURN which go ask to the general policy which have to be on ACCEPT then.
    there are 2 rules for DROP, one for each interface

    1. Thank for your reply.

      The core of my idea is white-list system. So two rules for DROP in this tutorial.

  2. I’m new to Synology’s products, so I wonder if they changed something again?

    I tried to add a rule chain of my own, and a minute after adding a jump target to the OUTPUT chain, the target disappears…

    Also, flushing all the chains (iptables -F) doesn’t work. Which makes using iptables-restore challenging (it just won’t work). Removing individual chains seems to work though. (but I have a feeling those changes will be reset soon enough too)

    Is everything still working for you?

    1. Sorry for my late reply. This article was submitted few years ago. It may not work any more. You can manage your firewall rule by the web interface.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.