Everybody running a server on a Raspberry with an open internet connection should protect against unauthorized access. There are various ways to protect. An additional protection is to restrict access to the Raspberry to specific IP ranges. The easiest way to do this is by using geoip and iptables and allow access from IPs from your country only. Actually this makes sense only if the server is used by you only and is no open server for everybody (owncloud, seafile, ...).

Just execute following steps in roder to install geoip on Raspbian Stretch:

1) Install the kernel header files

sudo apt-get install raspberrypi-kernel-headers

2) Create a file /usr/local/bin/installGeoIP.sh and insert following code

#!/bin/bash
set -euo pipefail

set +e
if ! dpkg -l xtables-addons-common >/dev/null ; then
        apt install xtables-addons-common
fi
if ! dpkg -l libtext-csv-xs-perl >/dev/null ; then
        apt install libtext-csv-xs-perl
fi
set -e

if [ ! -d /usr/share/xt_geoip ]; then
        mkdir /usr/share/xt_geoip
fi

geotmpdir=$(mktemp -d)
csv_files="${geotmpdir}/GeoIPCountryWhois.csv ${geotmpdir}/GeoIPv6.csv"
OLDPWD="${PWD}"
cd "${geotmpdir}"
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${csv_files}
cd "${OLDPWD}"
rm -r "${geotmpdir}"
exit 0

3) Make this file executable and invoke it

chmod +x /usr/local/bin/installGeoIP.sh

installGeoIP.sh

4) Add iptables rules to accept IPs from US and Germany

Example:

iptables -A INPUT -m geoip --src-cc DE,US -m conntrack --ctstate NEW -j ACCEPT

 

References

Maxmind geoip

GeoIP based filtering with iptables

Netfilter: geoip howto

Blocklist ipsets

How to install kernel headers

Linxu headers rpi from mhieenka
Solved: iptables & geoip

rpi-source wiki

Add comment

Note

eMail is not visible to the public and used to subscribe you to comment updates. You can unsubscribe at any time because any notification eMail has an unsubscribe link.

Spam comments are purged and not published to protect subscribers from spam eMails. Review is done manually and therefore your comment will not be published immediately.