Change the firewall manually to make your Synology more safe!
Source: Changzhou Chen
The default firewall in the Control Panel is so poor because of the poor design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I’ve decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you don’t have the need for IPv6 network environment, you can ignore the ip6tables part.
Warning: If you don’t have enough IT experience, you should run the following sections carefully. Maybe you will lose your connection to your Synology and find it hard to connect to it again.
I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:
DiskStation> iptables-save > ipv4 # For your simple reference, I delete the # unuseful part of rule file which exported by iptables-save. The following # part is completely different from the file exported by iptables-save.
DiskStation> cat ipv4 *filter :INPUT DROP # Drops all inbound connections that doesn't use the following rules :FORWARD ACCEPT # It may be default, you can ignore it :OUTPUT ACCEPT # It may be default, you can ignore it -A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections -A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections -A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections COMMIT
After run the iptables-restore and iptables -L, you can see the following result:
DiskStation> iptables-restore < ipv4 DiskStation> iptables -L Chain INPUT (policy DROP) target prot opt source destination DEFAULT_INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DEFAULT_INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- 1.2.3.4 anywhere
The IPv6 firewall part is similar to IPv4 firewall:
DiskStation> ip6tables-save > ipv6 # For your simple reference, I delete the #unuseful part of rule file which exported by iptables-save. The follwing #part is completely different with the file exported by iptables-save. DiskStation> cat ipv6 *filter :INPUT DROP # Drops all inbound connections that doesn't use the following rules :FORWARD ACCEPT # It may be default, you can ignore it :OUTPUT ACCEPT # It may be default, you can ignore it -A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established #inbound connections COMMIT
DiskStation> ip6tables-restore < ipv6 DiskStation> ip6tables -L Chain INPUT (policy DROP) target prot opt source destination DEFAULT_INPUT all anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DEFAULT_INPUT (1 references) target prot opt source destination ACCEPT all anywhere anywhere ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
DiskStation> ip6tables-restore < ipv6 DiskStation> ip6tables -L Chain INPUT (policy DROP) target prot opt source destination DEFAULT_INPUT all anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DEFAULT_INPUT (1 references) target prot opt source destination ACCEPT all anywhere anywhere ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
I also wrote two scripts to make firewall can load IPv4 and IPv6 rules or reset the firewall to default:
DiskStation> cat iptables.sh #!/bin/sh case "$1" in start) /sbin/iptables-restore < ipv4 ;; stop) /sbin/iptables-restore < ipv4-default ;; *) echo "Usage: $0 {start|stop}" exit 1 esac exit 0 DiskStation> cat ip6tables.sh #!/bin/sh case "$1" in start) /sbin/ip6tables-restore < ipv6 ;; stop) /sbin/ip6tables-restore < ipv6-default ;; *) echo "Usage: $0 {start|stop}" exit 1 esac exit 0
Here are the files (also the file ‘ipv4-default’ and ‘ipv6-default’ below) which can restore the firewall to default:
*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT COMMIT
Finally you can make a crontab task to run the two scripts above in the Control Panel such as each one runs every minute, just to make sure the firewall is always loading the whitelist rules which you wrote.