The default firewall in the Control Panel is so poor because the worse design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you have not the IPv6 network environment, you can ignore the ip6tables part.
Warning: If you dont not have the enough IT experience, you should run the following sections carefully. Maybe you will lost you connection to your Synology and hard to connect it again.
I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
DiskStation> iptables-save > ipv4 # For your simple reference, I delete the #unuseful part of rule file which exported by iptables-save. The follwing #part is completely different with the file exported by iptables-save. DiskStation> cat ipv4 *filter :INPUT DROP # Drops all inbound connections that doesn't use the following rules :FORWARD ACCEPT # It may be default, you can ignore it :OUTPUT ACCEPT # It may be default, you can ignore it -A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections -A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections -A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections COMMIT |
After run the iptables-restore and iptables -L, you can see the following result:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
DiskStation> iptables-restore < ipv4 DiskStation> iptables -L Chain INPUT (policy DROP) target prot opt source destination DEFAULT_INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DEFAULT_INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- 1.2.3.4 anywhere |
The IPv6 firewall part is similar to IPv4 firewall:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
DiskStation> ip6tables-save > ipv6 # For your simple reference, I delete the #unuseful part of rule file which exported by iptables-save. The follwing #part is completely different with the file exported by iptables-save. DiskStation> cat ipv6 *filter :INPUT DROP # Drops all inbound connections that doesn't use the following rules :FORWARD ACCEPT # It may be default, you can ignore it :OUTPUT ACCEPT # It may be default, you can ignore it -A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established #inbound connections COMMIT |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
DiskStation> ip6tables-restore < ipv6 DiskStation> ip6tables -L Chain INPUT (policy DROP) target prot opt source destination DEFAULT_INPUT all anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DEFAULT_INPUT (1 references) target prot opt source destination ACCEPT all anywhere anywhere ACCEPT all anywhere anywhere state RELATED,ESTABLISHED |
I also wrote two scripts to make firewall can load IPv4 and IPv6 rules or reset the firewall to default:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
DiskStation> cat iptables.sh #!/bin/sh case "$1" in start) /sbin/iptables-restore < ipv4 ;; stop) /sbin/iptables-restore < ipv4-default ;; *) echo "Usage: $0 {start|stop}" exit 1 esac exit 0 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
DiskStation> cat ip6tables.sh #!/bin/sh case "$1" in start) /sbin/ip6tables-restore < ipv6 ;; stop) /sbin/ip6tables-restore < ipv6-default ;; *) echo "Usage: $0 {start|stop}" exit 1 esac exit 0 |
Here are the files (also the file ‘ipv4-default’ and ‘ipv6-default’ below) which can restore the firewall to default:
|
1 2 3 4 5 |
*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT COMMIT |
Finally you can make a schedule task to run two scripts above in the Control Panel such as each one minute to run them, that can make sure the firewall is always loading the whitelist rules which you wrote.
Article References:
iptables – Debian Wiki
IptablesHowTo – Ubuntu Wiki
HowTos/Network/IPTables – CentOS Wiki