Accueil > Matériel, Réseau, Sécurité > Change the firewall manually to make your Synology more safe!

Change the firewall manually to make your Synology more safe!

08/03/2016 Categories: Matériel, Réseau, Sécurité Tags: , ,
Print Friendly, PDF & Email

Source: Changzhou Chen

The default firewall in the Control Panel is so poor because of the poor design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I’ve decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you don’t have the need for IPv6 network environment, you can ignore the ip6tables part.

Warning: If you don’t have enough IT experience, you should run the following sections carefully. Maybe you will lose your connection to your Synology and find it hard to connect to it again.

I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:

DiskStation> iptables-save > ipv4
# For your simple reference, I delete the
# unuseful part of rule file which exported by iptables-save. The following
# part is completely different from the file exported by iptables-save.
DiskStation> cat ipv4
*filter
:INPUT DROP # Drops all inbound connections that doesn't use the following rules
:FORWARD ACCEPT # It may be default, you can ignore it
:OUTPUT ACCEPT # It may be default, you can ignore it
-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections
-A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections
-A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections
COMMIT

After run the iptables-restore and iptables -L, you can see the following result:

DiskStation> iptables-restore < ipv4
DiskStation> iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DEFAULT_INPUT  all  --  anywhere             anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain DEFAULT_INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  1.2.3.4              anywhere

The IPv6 firewall part is similar to IPv4 firewall:

DiskStation> ip6tables-save > ipv6
# For your simple reference, I delete the
#unuseful part of rule file which exported by iptables-save. The follwing
#part is completely different with the file exported by iptables-save.

DiskStation> cat ipv6
*filter
:INPUT DROP # Drops all inbound connections that doesn't use the following rules
:FORWARD ACCEPT # It may be default, you can ignore it
:OUTPUT ACCEPT # It may be default, you can ignore it
-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established
#inbound connections
COMMIT

DiskStation> ip6tables-restore < ipv6
DiskStation> ip6tables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DEFAULT_INPUT  all      anywhere             anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain DEFAULT_INPUT (1 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
DiskStation> ip6tables-restore < ipv6
DiskStation> ip6tables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DEFAULT_INPUT  all      anywhere             anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain DEFAULT_INPUT (1 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED

I also wrote two scripts to make firewall can load IPv4 and IPv6 rules or reset the firewall to default:

DiskStation> cat iptables.sh
#!/bin/sh
case "$1" in
start)
 /sbin/iptables-restore < ipv4
 ;;
stop)
 /sbin/iptables-restore < ipv4-default
 ;;
*)
 echo "Usage: $0 {start|stop}"
 exit 1
esac
exit 0



DiskStation> cat ip6tables.sh

#!/bin/sh

case "$1" in
start)
 /sbin/ip6tables-restore < ipv6
 ;;
stop)
 /sbin/ip6tables-restore < ipv6-default
 ;;
*)
 echo "Usage: $0 {start|stop}"
 exit 1
esac

exit 0

Here are the files (also the file ‘ipv4-default’ and ‘ipv6-default’ below) which can restore the firewall to default:

*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT

Finally you can make a crontab task to run the two scripts above in the Control Panel such as each one runs every minute, just to make sure the firewall is always loading the whitelist rules which you wrote.

Lire aussi:  IP Fragmentation Attack
Categories: Matériel, Réseau, Sécurité Tags: , ,
Les commentaires sont fermés.