Add custom iptables rules on QNAP NAS
by mackowiakp from LinuxQuestions.org on (#58S69)
How can I add entries to an existing iptables rule set on the QNAP NAS itself. The point is, I have several containers in my NAS, all configured as a bridge. Hence, they are in the same network as the NAS but have different IP addresses of course.
I mean adding port to IP address redirects. This is because it has a dynamic IP from Orange but of course the device is always available under the name <my_domain> .myqnapcloud.com. And on the router, when it comes to access from outside, there is no problem with redirecting the port to the address/port.
The problem is if I am with a tablet, laptop or phone when I am within the range of the home LAN/WiFi network. I have DNS for my internal/home network.
But if from within the home network, if I use the address <my_domain> .myqnapcloud.com: <port> then of course such a call will be directed to the NAS itself and not to one of its containers. I would like to add redirection rules so that some system modification (e.g. adding a container, installing an FW upgrade) does not overwrite these changes.
I write right away that I would not like to use an additional container with a router because it is a duplication of the solution and I do not want to interfere with what the NAS does in accordance with what it has in FW.
I am thinking of the following scenario:
- after boot the NAS will load its default iptables ruleset;
- after boot, backup of existing iptables rules is performed (I don't know how);
- necessary port to IP/port redirection are added to the mentioned rules (I do not know where in the existing iptables set)
- a flush of existing rules is performed and new rules are applied.
Below is a listing of the current (default) iptables rules from the NAS.
Could any of my colleagues help me?
Code:~] # iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
2 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 DOCKER all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 SYSDOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 SYSDOCKER all -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set BRNOIPSET src,dst
Chain DOCKER (1 references)
num target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain SYSDOCKER (1 references)
num target prot opt source destination
Chain SYSDOCKER-ISOLATION (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0Code:[~] # iptables -t nat -L --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 SYSDOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 SYSDOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
3 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x0/0xffff
4 VPNNAT all -- 0.0.0.0/0 0.0.0.0/0
5 SYSNAT all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
num target prot opt source destination
Chain SYSDOCKER (2 references)
num target prot opt source destination
Chain SYSNAT (1 references)
num target prot opt source destination
1 MASQUERADE all -- 10.0.5.0/24 0.0.0.0/0
2 MASQUERADE all -- 10.0.3.0/24 0.0.0.0/0
Chain VPNNAT (1 references)
num target prot opt source destination
I mean adding port to IP address redirects. This is because it has a dynamic IP from Orange but of course the device is always available under the name <my_domain> .myqnapcloud.com. And on the router, when it comes to access from outside, there is no problem with redirecting the port to the address/port.
The problem is if I am with a tablet, laptop or phone when I am within the range of the home LAN/WiFi network. I have DNS for my internal/home network.
But if from within the home network, if I use the address <my_domain> .myqnapcloud.com: <port> then of course such a call will be directed to the NAS itself and not to one of its containers. I would like to add redirection rules so that some system modification (e.g. adding a container, installing an FW upgrade) does not overwrite these changes.
I write right away that I would not like to use an additional container with a router because it is a duplication of the solution and I do not want to interfere with what the NAS does in accordance with what it has in FW.
I am thinking of the following scenario:
- after boot the NAS will load its default iptables ruleset;
- after boot, backup of existing iptables rules is performed (I don't know how);
- necessary port to IP/port redirection are added to the mentioned rules (I do not know where in the existing iptables set)
- a flush of existing rules is performed and new rules are applied.
Below is a listing of the current (default) iptables rules from the NAS.
Could any of my colleagues help me?
Code:~] # iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
2 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 DOCKER all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 SYSDOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 SYSDOCKER all -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set BRNOIPSET src,dst
Chain DOCKER (1 references)
num target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain SYSDOCKER (1 references)
num target prot opt source destination
Chain SYSDOCKER-ISOLATION (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0Code:[~] # iptables -t nat -L --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 SYSDOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 SYSDOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
3 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x0/0xffff
4 VPNNAT all -- 0.0.0.0/0 0.0.0.0/0
5 SYSNAT all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
num target prot opt source destination
Chain SYSDOCKER (2 references)
num target prot opt source destination
Chain SYSNAT (1 references)
num target prot opt source destination
1 MASQUERADE all -- 10.0.5.0/24 0.0.0.0/0
2 MASQUERADE all -- 10.0.3.0/24 0.0.0.0/0
Chain VPNNAT (1 references)
num target prot opt source destination