I just purchased and set up my F2-223 NAS, and I discovered a nasty bug upon adding a rule to open port 1701 for L2TP VPN. Upon saving, the NAS lost all service connectivity (Web GUI, SMB shares, even the ability to respond to ICMP requests). I rebooted the NAS, and that did not remedy the situation.
I was able to SSH into the NAS. I tested hitting the web ports via cURL, and the only thing I could hit was port 80, which did a 302 redirect to 8181. Port 8181 was NOT accessible via localhost using cURL. Restarting nginx did not resolve the issue.
I then inspected the iptables rules. This is the results:
Code: Select all
[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DOS_PROTECT all -- anywhere anywhere
INPUT_FIREWALL all -- anywhere anywhere
INPUT_PROTECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
FORWARD_FIREWALL all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOS_PROTECT (1 references)
target prot opt source destination
Chain FORWARD_FIREWALL (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_FIREWALL (1 references)
target prot opt source destination
ACCEPT udp -- nas anywhere
ACCEPT tcp -- nas anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_PROTECT (1 references)
target prot opt source destination
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:telnet
ACCEPT tcp -- 10.4.1.2 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.4.1.2 anywhere tcp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:telnet
I added a rule to the INPUT chain to allow all traffic from anywhere to anywhere, and I was able to access the NAS again, and ICMP requests responded as well. I went into the firewall settings via the GUI and removed the rule for port 1701, then listed the tables in iptables:
Code: Select all
[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DOS_PROTECT all -- anywhere anywhere
INPUT_FIREWALL all -- anywhere anywhere
INPUT_PROTECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
FORWARD_FIREWALL all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOS_PROTECT (1 references)
target prot opt source destination
Chain FORWARD_FIREWALL (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_FIREWALL (1 references)
target prot opt source destination
ACCEPT udp -- nas anywhere
ACCEPT tcp -- nas anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_PROTECT (1 references)
target prot opt source destination
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:telnet
ACCEPT tcp -- 10.4.1.2 anywhere tcp dpt:ssh