Everybody running a server on a Raspberry with an open internet connection should protect against unauthorized access. There are various ways to protect. An additional protection is to restrict access to the Raspberry to specific IP ranges. The easiest way to do this is by using geoip and iptables and allow access from IPs from your country only. Actually this makes sense only if the server is used by you only and is no open server for everybody (owncloud, seafile, ...).
Execute following steps in order to install geoip on Raspbian Buster
Buster now uses nsf instead of iptables and requires a different format of the geoip files.
1) install xtables-addon
sudo apt install xtables-addons-common libnet-cidr-lite-perl libtext-csv-xs-perl libgeoip2-perl
2) Enable xt_geoip
sudo modprobe xt_geoip
echo "xt_geoip" | sudo tee -a /etc/modules-load.d/modules.conf
3) Download geoip files
mkdir /tmp/geoip
cd /tmp/geoip
/usr/lib/xtables-addons/xt_geoip_dl
4) Build geoip database now
mkdir -P /usr/share/xt_geoip
cd GeoLite2-Country-CSV_20190709
sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip
5) Add iptables rules to accept IPs from US and Germany
Example:
iptables -A INPUT -m geoip --src-cc DE,US -m conntrack --ctstate NEW -j ACCEPT6) Create following script to update your geoip database on a regular base
#!/bin/bash
geotmpdir=$(mktemp -d)
OLDPWD="${PWD}"
cd "${geotmpdir}"
/usr/lib/xtables-addons/xt_geoip_dl
dir="$(ls)"
cd $dir
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip
cd "${OLDPWD}"
rm -r "${geotmpdir}"
Execute following steps in order to install geoip on Raspbian Stretch
1) Install the xtables-addons
sudo apt-get install raspberrypi-kernel-headers
wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.14.tar.xz
tar xf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14
./configure
make
make install
or
Kudos to @Basti
You can also use DKMS to build this module. Place source to /usr/src/xtables-addons-2.14 for example and create a dkms.conf in there. I have used the file shipped with xtables-addons-dkms_2.12-0.1_all.deb and edit the PACKAGE_VERSION="2.14" and
DEST_MODULE_LOCATION[0]="/extra". More infos about dkms (https://wiki.ubuntuusers.de/DKMS/).
2) Create a file /usr/local/bin/installGeoIP.sh and insert following code
#!/bin/bash
set -euo pipefail
set +e
if ! dpkg -l xtables-addons-common >/dev/null ; then
apt install xtables-addons-common
fi
if ! dpkg -l libtext-csv-xs-perl >/dev/null ; then
apt install libtext-csv-xs-perl
fi
set -e
if [ ! -d /usr/share/xt_geoip ]; then
mkdir /usr/share/xt_geoip
fi
geotmpdir=$(mktemp -d)
csv_files="${geotmpdir}/GeoIPCountryWhois.csv ${geotmpdir}/GeoIPv6.csv"
OLDPWD="${PWD}"
cd "${geotmpdir}"
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${csv_files}
cd "${OLDPWD}"
rm -r "${geotmpdir}"
exit 03) Make this file executable and invoke it
chmod +x /usr/local/bin/installGeoIP.sh
installGeoIP.sh
4) Add iptables rules to accept IPs from US and Germany
Example:
iptables -A INPUT -m geoip --src-cc DE,US -m conntrack --ctstate NEW -j ACCEPTIssues
If you get iptables: No chain/target/match by that name. error messages test whether the xtables_addons are installed correctly
modprobe -c | grep x_tab
should display a long list of modules.
modprobe xt_geoip
Should succeed.
depmod -a
may also help to fix the issue.
References
Linoxide: Block IP from countries using Geoip
Linxu headers rpi from mhieenka
Solved: iptables & geoip
Alternative: ipset usage (German)
Reddit: Firewall with geoIP capability on Debian 10
asds