Change the firewall manually to make your Synology more safe!
Source: Changzhou Chen
The default firewall in the Control Panel is so poor because of the poor design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I’ve decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you don’t have the need for IPv6 network environment, you can ignore the ip6tables part.
Warning: If you don’t have enough IT experience, you should run the following sections carefully. Maybe you will lose your connection to your Synology and find it hard to connect to it again.
I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:
DiskStation> iptables-save > ipv4 # For your simple reference, I delete the # unuseful part of rule file which exported by iptables-save. The following # part is completely different from the file exported by iptables-save.
DiskStation> cat ipv4 *filter :INPUT DROP # Drops all inbound connections that doesn't use the following rules :FORWARD ACCEPT # It may be default, you can ignore it :OUTPUT ACCEPT # It may be default, you can ignore it -A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections -A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections -A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections COMMIT
After run the iptables-restore and iptables -L, you can see the following result:
DiskStation> iptables-restore < ipv4 DiskStation> iptables -L Chain INPUT (policy DROP) target prot opt source destination DEFAULT_INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DEFAULT_INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- 1.2.3.4 anywhere