Everybody running a server on a Raspberry with an open internet connection should protect against unauthorized access. There are various ways to protect. An additional protection is to restrict access to the Raspberry to specific IP ranges. The easiest way to do this is by using geoip and iptables and allow access from IPs from your country only. Actually this makes sense only if the server is used by you only and is no open server for everybody (owncloud, seafile, ...).

Just execute following steps in order to install geoip on Raspbian Stretch:

1) Install the xtables-addons

sudo apt-get install raspberrypi-kernel-headers

wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.14.tar.xz
tar xf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14
./configure
make
make install

or

Kudos to @Basti

You can also use DKMS to build this module. Place source to /usr/src/xtables-addons-2.14 for example and create a dkms.conf in there. I have used the file shipped with xtables-addons-dkms_2.12-0.1_all.deb and edit the PACKAGE_VERSION="2.14" and
DEST_MODULE_LOCATION[0]="/extra". More infos about dkms (https://wiki.ubuntuusers.de/DKMS/).

 

2) Create a file /usr/local/bin/installGeoIP.sh and insert following code

#!/bin/bash
set -euo pipefail

set +e
if ! dpkg -l xtables-addons-common >/dev/null ; then
        apt install xtables-addons-common
fi
if ! dpkg -l libtext-csv-xs-perl >/dev/null ; then
        apt install libtext-csv-xs-perl
fi
set -e

if [ ! -d /usr/share/xt_geoip ]; then
        mkdir /usr/share/xt_geoip
fi

geotmpdir=$(mktemp -d)
csv_files="${geotmpdir}/GeoIPCountryWhois.csv ${geotmpdir}/GeoIPv6.csv"
OLDPWD="${PWD}"
cd "${geotmpdir}"
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${csv_files}
cd "${OLDPWD}"
rm -r "${geotmpdir}"
exit 0

3) Make this file executable and invoke it

chmod +x /usr/local/bin/installGeoIP.sh

installGeoIP.sh

4) Add iptables rules to accept IPs from US and Germany

Example:

iptables -A INPUT -m geoip --src-cc DE,US -m conntrack --ctstate NEW -j ACCEPT

 

Issues

If you get iptables: No chain/target/match by that name. error messages test whether the xtables_addons are installed correctly

modprobe -c | grep x_tab

should display a long list of modules.

modprobe xt_geoip

Should succeed.

depmod -a

may also help to fix the issue.

 

References

Maxmind geoip

GeoIP based filtering with iptables

Linoxide: Block IP from countries using Geoip

Netfilter: geoip howto

Xtables-addons (source code)

Blocklist ipsets

How to install kernel headers

Linxu headers rpi from mhieenka
Solved: iptables & geoip

rpi-source wiki

Kommentar schreiben

Hinweis

Spam Kommentare werden gelöscht und nicht veröffentlicht. Die Überprüfung wird manuell vorgenommen und deshalb dauert es i.d.R. zwischen ein paar Stunden bis zu einem Tag bis ein Kommentar veröffentlicht wird.

Kommentare   
#4 framp 2018-07-04 19:15
Thx Basti for your comment. I just added it in the arcticle.
Zitieren
#3 Basti 2018-07-04 09:40
You can also use DKMS to build this module. Place source to /usr/src/xtables-addons-2.14 for example and create a dkms.conf in there. I have used the file shipped with xtables-addons-dkms_2.12-0.1_all.deb and edit the PACKAGE_VERSION="2.14" and
DEST_MODULE_LOCATION[0]="/extra". More infos about dkms (https://wiki.ubuntuusers.de/DKMS/).
Zitieren
#2 framp 2018-03-05 20:01
Hello Gast,

re 1) I copied and pasted the script on my box and was able to execute it without any errors.

re 2) The errór message just says the chain name INPUT is not known. But that's a standard chain name. Check with Code:sudo iptables -L -v. Are you sure you used INPUT without any other non visible characters as the chain name? Looks like it's a similar copy/paste issue you had with the script. Try to type in the command and don't use copy/paste.

Cu framp
Zitieren
#1 Gast 2018-03-05 02:25
Hi there,
thanks for this short but very clear tutorial on getting geoIP blocking into a raspberry. I am relatively new on linux and rasberrian, but I read and test alot to learn.

Now I am struggeling with 2 steps in your tutorial, 1 of them i could work around:

1.: after invoking installGeoIP.sh i got an error nearly to the end of the process saying: "error on line 8". And it seems that something was missing.
I then executed parts of the script by hand and by invoking: apt install libtext-csv-xs-perl it downloaded the package. after that, invoking the script again, it ran fine.

2. calling: iptables -A INPUT -m geoip --src-cc DE,US -m conntrack --ctstate NEW -j ACCEPT
is not working for me: Error: iptables: No chain/target/match by that name.
unsure whats the problem here, but seems to me that this is related to the part " --src-cc ?

maybe you can specify details or check if there is s.th. no longer working?

Thanks.
Zitieren