Archive

Archives pour 03/2016

Change the firewall manually to make your Synology more safe!

08/03/2016 Comments off

Source: Changzhou Chen

The default firewall in the Control Panel is so poor because of the poor design of Synology’s firewall policy. You can not use the white list in the global environment if you have both IPv4 or IPv6 network environment. To decrease the risk of being hacked, I’ve decided to change the firewall manually. We should use iptables and ip6tables to change both IPv4 and IPv6 firewall. If you don’t have the need for IPv6 network environment, you can ignore the ip6tables part.

Warning: If you don’t have enough IT experience, you should run the following sections carefully. Maybe you will lose your connection to your Synology and find it hard to connect to it again.

I wrote some IPv4 rules, the following code section is part of the rule file, you can run the iptables-save to export the rule file:

DiskStation> iptables-save > ipv4
# For your simple reference, I delete the
# unuseful part of rule file which exported by iptables-save. The following
# part is completely different from the file exported by iptables-save.
DiskStation> cat ipv4
*filter
:INPUT DROP # Drops all inbound connections that doesn't use the following rules
:FORWARD ACCEPT # It may be default, you can ignore it
:OUTPUT ACCEPT # It may be default, you can ignore it
-A INPUT -i lo -j ACCEPT # Allows all loopback (lo0) traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accepts all established inbound connections
-A INPUT -s 192.168.1.1/255.255.255.0 -j ACCEPT # Allows your Intranet inbound connections
-A INPUT -s 1.2.3.4 -j ACCEPT # Allows the specified ip address inbound connections
COMMIT

After run the iptables-restore and iptables -L, you can see the following result:

DiskStation> iptables-restore < ipv4
DiskStation> iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DEFAULT_INPUT  all  --  anywhere             anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain DEFAULT_INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  1.2.3.4              anywhere

Lire la suite…

Categories: Matériel, Réseau, Sécurité Tags: , ,