My QNAP is connected to the internet. I have some services on it that are exposed like HTTP, for the previous blog I had, HTTPS and SSH to manage it, RSYNC to sync certain folders to a remote QNAP and FTP to upload or download files when necessary. At the time I only had an off the shelf wireless router which could only do Port Forwarding and simple NAT-ing. This meant that anyone on the internet could connect to these open ports and attempt to break the username and password and possibly cause havoc on my beloved files.

The solution to this problem for me was to allow access to these services from subnets which were allocated to my country, Malta.

Using the QNAP’s management interface, one can add a subnet at a time. This was going to be too time consuming for over 70 subnets. It is necessary, though, to log in to the web interface and select “Allow Connections from the list only” in the Security settings found in the System Settings.

Make sure that your subnet is listed or you might loose connectivity

The list of subnets allocated to Malta was obtained from

https://www.countryipblocks.net/country_selection.php

I selected Malta from the country list and Netmask radio button. The list box on the left was populated with the subnets.

Copy the subnets and paste them into an spreadsheet, Column A, to convert them to a format the QNAP accepts.

Log in via SSH and edit the ipsec.conf file found in ./etc/config

therefore vi /etc/config/ipsec.confand press enter. The below is a sample of the screen output after executing the command

Viewing the file I noticed that the pattern required was prefix:network address:subnet mask:0:1263450105

I discovered that the prefix could be 0,1 or 2 meaning the ip was a single address, subnet or range of ips respectively. The 0:1263450105 is not known to me and changed for the whole list whenever a new network was added.

Back to the spreadsheet file, I replaced the / with : using replace all. So 37.75.32.0/255.255.224.0 changed to 37.75.32.0:255.255.224.0.

Assuming that the pasted content starts at A1, =CONCATENATE(“1:”,A1,”:0:1263450105″) was filled in B1. This resulted in

1:37.75.32.0:255.255.224.0:0:1263450105

I dragged down the formula to the end of the subnet list and now all the subnets are ready to be copied and pasted to the ipsec.conf file.

In the SSH window press INSERT key to allow you edit the ipsec.conf file and make sure you are in a new line.

If using PuTTY, right click in the window and all the copied text will be pasted. When done press ESC key and the type :wq and press enter. This will quit vi editor and save the changes.

Restart networking by typing ./etc/init.d/network.sh restart and press enter. You will loose connectivity

Log on to the web management and check the list of allowed subnets. You will find all the items there.

Now it is important to renew this list every once in a while as new subnets may be allocated, and if you are connected with one of those IPs to the internet, you will not have access to the NAS.

 

By Brian Farrugia

I am the author of Phy2Vir.com. More info can be found on the about page.

10 thought on “Restricting access to QNAP NAS by country”
  1. It would be better to say that if you cut yourself out of the network you can disable this IP check by deleting “IP Security = 1” line in /etc/config/uLinux.conf

    1. Hi,
      thanks for the tip. I am afraid that you would not be able to login to ssh or telnet to make the change. If you do connect you can delete the line as mentioned or change it to “IP Security = 3” which is like selecting “Allow all Connections” This can also be used to enable the security instead of going through the web gui by changing it to “IP Security =1”.
      Thanks for commenting! Hope you found the article useful.

  2. Be carefull!

    This doesn’t work anymore for QTS 4.1.4 and QTS 4.2

    You can still put the content in the ipsec.conf and you can reload the network configuration to see it loading into qts security form.

    BUT: it doesnt get applied untill you quicly switch between “Allow all conenctions” and then back to “Only allow from these ip adresses”

    I suppose there is some command that triggers the actual execution of the rules.

    Can you find out what has to be executed in order to automate it?

    I’m creating an app that will super-power the whitelisting feature 🙂

    btw: I also noticed that when you add a country list to the ipsec.conf file, that when you look in QTS in the security -> ip adress list box -> it states in RED : “Only 2048 hosts are allowed and you have 4000 host in your list!”

    1. Hi Sebastien,
      thanks for commenting. Indeed I had tried this on an older firmware and didn’t check it any more as I now use my router to filter IPs.
      I have QTS 4.2 beta 1 installed on the NAS and it does not mention the 4000 host limit. As for the command you requested, I tried looking into it but I have limited linux knowledge.
      Hopefully the command James mention will help you out.

      Good luck with the app and let us know when you finish it.
      Brian

  3. Running /etc/init.d/network.sh will not reload the ip filter tables with any changes you’ve made to ipsec.conf. To apply the changes immediately, you need to run /sbin/ip_filter. Hope that helps.

    1. James, Brian,

      Thanks that did the Job

      I’m gonna correct this in the applicaiton, it was almost finished I was blocked on two fronts:
      1) the ipsec.conf was not beeing reloaded (now solved in the next version)
      2) To auto resolve hostnames I use crontab, but the webuser cannot overwrite or chmod the /etc/services/crontab file (when I manually set it with my admin account to chmod 777 it works)

      You can find the packaged application here:
      http://www.forum-nas.fr/viewtopic.php?f=21&t=2301

      1.3 wwas the latest version, 1.4 wil contain this fix from James 😉

      1. Version 1.4 is out and it is almost fully functional

        The only problem I have is that /etc/config/crontab is beeing overwritten at every nas restart … therfore the cornjob for resolving hostnames is always washed out…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.