Synology – ChangzhouC

First of all, you must install the libsodium library.

You can download the lastest version from here.

Here are all the commands to install libsodium.

DiskStation> wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.3.tar.gz --no-check-certificate
DiskStation> tar xzvf libsodium-1.0.3.tar.gz
DiskStation> cd libsodium-1.0.3/
DiskStation> ./configure && make
DiskStation> make install
DiskStation> cp -a /usr/local/lib/libsodium* /lib/

DiskStation> wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.3.tar.gz --no-check-certificate

DiskStation> tar xzvf libsodium-1.0.3.tar.gz

DiskStation> cd libsodium-1.0.3/

DiskStation> ./configure && make

DiskStation> make install

DiskStation> cp -a /usr/local/lib/libsodium* /lib/

Then you can download the DNSCrypt from here.

Here are all the commands to install DNSCrypt.

DiskStation> wget https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.6.0.tar.gz --no-check-certificate
DiskStation> tar xzvf dnscrypt-proxy-1.6.0.tar.gz
DiskStation> cd dnscrypt-proxy-1.6.0/
DiskStation> ./configure && make
DiskStation> make install

DiskStation> wget https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.6.0.tar.gz --no-check-certificate

DiskStation> tar xzvf dnscrypt-proxy-1.6.0.tar.gz

DiskStation> cd dnscrypt-proxy-1.6.0/

DiskStation> ./configure && make

DiskStation> make install

After installed these, you can run the following command to make a clean.

DiskStation> cd ..
DiskStation> rm -rf libsodium* dnscrypt*

1 2	DiskStation> cd .. DiskStation> rm -rf libsodium* dnscrypt*

And you can use the following command to test the DNS service with the Cisco OpenDNS.

DiskStation> /usr/local/sbin/dnscrypt-proxy -R "cisco" --test=0
[INFO] - [cisco] does not support DNS Security Extensions
[INFO] - [cisco] does not support Namecoin domains
[WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
[NOTICE] Starting dnscrypt-proxy 1.6.0
[INFO] Generating a new session key pair
[INFO] Done
[INFO] Server certificate #1435874751 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
[INFO] Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315

DiskStation> /usr/local/sbin/dnscrypt-proxy -R "cisco" --test=0

[INFO] - [cisco] does not support DNS Security Extensions

[INFO] - [cisco] does not support Namecoin domains

[WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern

[NOTICE] Starting dnscrypt-proxy 1.6.0

[INFO] Generating a new session key pair

[INFO] Done

[INFO] Server certificate #1435874751 received

[INFO] This certificate looks valid

[INFO] Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]

[INFO] Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315

If all goes well, you can run the following command to start DNSCrypt and set the DNS service.

DiskStation> /usr/local/sbin/dnscrypt-proxy -R "cisco" --daemonize
DiskStation> echo 'nameserver      127.0.0.1' > /etc/resolv.conf

1 2	DiskStation> /usr/local/sbin/dnscrypt-proxy -R "cisco" --daemonize DiskStation> echo 'nameserver 127.0.0.1' > /etc/resolv.conf

Then you can visit http://www.opendns.com/welcome to make sure if you are using the Cisco OpenDNS service.

Finally you should add a script to rc.d to run DNSCrypt autostart whenever the Synology starts up.

DiskStation> cd /usr/local/etc/rc.d
DiskStation> cat dnscrypt-proxy.sh
#!/bin/sh

case "$1" in
start)
 /usr/local/sbin/dnscrypt-proxy -R cisco --daemonize
 ;;
stop)
 pkill dnscrypt-proxy
 ;;
*)
  echo "Usage: $0 {start|stop}"
  exit 1
esac

exit 0

DiskStation> cd /usr/local/etc/rc.d

DiskStation> cat dnscrypt-proxy.sh

#!/bin/sh

case "$1" in

start)

/usr/local/sbin/dnscrypt-proxy -R cisco --daemonize

;;

stop)

pkill dnscrypt-proxy

;;

echo "Usage: $0 {start|stop}"

exit 1

esac

exit 0

The default firewall in the Control Panel is so poor because the worse design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you have not the IPv6 network environment, you can ignore the ip6tables part.

Warning: If you dont not have the enough IT experience, you should run the following sections carefully. Maybe you will lost you connection to your Synology and hard to connect it again.

I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:

DiskStation> iptables-save > ipv4 # For your simple reference, I delete the
#unuseful part of rule file which exported by iptables-save. The follwing
#part is completely different with the file exported by iptables-save.

DiskStation> cat ipv4
*filter
:INPUT DROP # Drops all inbound connections that doesn't use the following rules
:FORWARD ACCEPT # It may be default, you can ignore it
:OUTPUT ACCEPT # It may be default, you can ignore it
-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections
-A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections
-A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections
COMMIT

DiskStation> iptables-save > ipv4 # For your simple reference, I delete the

#unuseful part of rule file which exported by iptables-save. The follwing

#part is completely different with the file exported by iptables-save.

DiskStation> cat ipv4

*filter

:INPUT DROP # Drops all inbound connections that doesn't use the following rules

:FORWARD ACCEPT # It may be default, you can ignore it

:OUTPUT ACCEPT # It may be default, you can ignore it

-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections

-A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections

-A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections

COMMIT

After run the iptables-restore and iptables -L, you can see the following result:

DiskStation> iptables-restore < ipv4

DiskStation> iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DEFAULT_INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DEFAULT_INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  1.2.3.4              anywhere

DiskStation> iptables-restore < ipv4

DiskStation> iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

DEFAULT_INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain DEFAULT_INPUT (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT all -- 192.168.1.0/24 anywhere

ACCEPT all -- 1.2.3.4 anywhere

The IPv6 firewall part is similar to IPv4 firewall:

DiskStation> ip6tables-save > ipv6 # For your simple reference, I delete the
#unuseful part of rule file which exported by iptables-save. The follwing
#part is completely different with the file exported by iptables-save.

DiskStation> cat ipv6
*filter
:INPUT DROP # Drops all inbound connections that doesn't use the following rules
:FORWARD ACCEPT # It may be default, you can ignore it
:OUTPUT ACCEPT # It may be default, you can ignore it
-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established
#inbound connections
COMMIT

DiskStation> ip6tables-save > ipv6 # For your simple reference, I delete the

#unuseful part of rule file which exported by iptables-save. The follwing

#part is completely different with the file exported by iptables-save.

DiskStation> cat ipv6

*filter

:INPUT DROP # Drops all inbound connections that doesn't use the following rules

:FORWARD ACCEPT # It may be default, you can ignore it

:OUTPUT ACCEPT # It may be default, you can ignore it

-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established

#inbound connections

COMMIT

DiskStation> ip6tables-restore < ipv6

DiskStation> ip6tables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DEFAULT_INPUT  all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DEFAULT_INPUT (1 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED

DiskStation> ip6tables-restore < ipv6

DiskStation> ip6tables -L

Chain INPUT (policy DROP)

target prot opt source destination

DEFAULT_INPUT all anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain DEFAULT_INPUT (1 references)

target prot opt source destination

ACCEPT all anywhere anywhere

ACCEPT all anywhere anywhere state RELATED,ESTABLISHED

I also wrote two scripts to make firewall can load IPv4 and IPv6 rules or reset the firewall to default:

DiskStation> cat iptables.sh

#!/bin/sh

case "$1" in
start)
 /sbin/iptables-restore < ipv4
 ;;
stop)
 /sbin/iptables-restore < ipv4-default
 ;;
*)
  echo "Usage: $0 {start|stop}"
  exit 1
esac

exit 0

DiskStation> cat iptables.sh

#!/bin/sh

case "$1" in

start)

/sbin/iptables-restore < ipv4

;;

stop)

/sbin/iptables-restore < ipv4-default

;;

echo "Usage: $0 {start|stop}"

exit 1

esac

exit 0

DiskStation> cat ip6tables.sh

#!/bin/sh

case "$1" in
start)
 /sbin/ip6tables-restore < ipv6
 ;;
stop)
 /sbin/ip6tables-restore < ipv6-default
 ;;
*)
  echo "Usage: $0 {start|stop}"
  exit 1
esac

exit 0

DiskStation> cat ip6tables.sh

#!/bin/sh

case "$1" in

start)

/sbin/ip6tables-restore < ipv6

;;

stop)

/sbin/ip6tables-restore < ipv6-default

;;

echo "Usage: $0 {start|stop}"

exit 1

esac

exit 0

Here are the files (also the file ‘ipv4-default’ and ‘ipv6-default’ below) which can restore the firewall to default:

*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT

*filter

:INPUT ACCEPT

:FORWARD ACCEPT

:OUTPUT ACCEPT

COMMIT

Finally you can make a schedule task to run two scripts above in the Control Panel such as each one minute to run them, that can make sure the firewall is always loading the whitelist rules which you wrote.

Article References:

iptables – Debian Wiki
IptablesHowTo – Ubuntu Wiki
HowTos/Network/IPTables – CentOS Wiki

Tag: Synology

Install DNSCrypt on Synology DSM 5

Change the firewall manually to make your Synology more safe!