Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Everybody running a server on a Raspberry with an open internet connection should protect against unauthorized access. There are various ways to protect. An additional protection is to restrict access to the Raspberry to specific IP ranges. The easiest way to do this is by using geoip and iptables and allow access from IPs from your country only. Actually this makes sense only if the server is used by you only and is no open server for everybody (owncloud, seafile, ...).

Just execute following steps in order to install geoip on Raspbian Stretch:

1) Install the xtables-addons

sudo apt-get install raspberrypi-kernel-headers

tar xf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14
make install


Kudos to @Basti

You can also use DKMS to build this module. Place source to /usr/src/xtables-addons-2.14 for example and create a dkms.conf in there. I have used the file shipped with xtables-addons-dkms_2.12-0.1_all.deb and edit the PACKAGE_VERSION="2.14" and
DEST_MODULE_LOCATION[0]="/extra". More infos about dkms (


2) Create a file /usr/local/bin/ and insert following code

set -euo pipefail

set +e
if ! dpkg -l xtables-addons-common >/dev/null ; then
        apt install xtables-addons-common
if ! dpkg -l libtext-csv-xs-perl >/dev/null ; then
        apt install libtext-csv-xs-perl
set -e

if [ ! -d /usr/share/xt_geoip ]; then
        mkdir /usr/share/xt_geoip

geotmpdir=$(mktemp -d)
csv_files="${geotmpdir}/GeoIPCountryWhois.csv ${geotmpdir}/GeoIPv6.csv"
cd "${geotmpdir}"
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip ${csv_files}
cd "${OLDPWD}"
rm -r "${geotmpdir}"
exit 0

3) Make this file executable and invoke it

chmod +x /usr/local/bin/

4) Add iptables rules to accept IPs from US and Germany


iptables -A INPUT -m geoip --src-cc DE,US -m conntrack --ctstate NEW -j ACCEPT



If you get iptables: No chain/target/match by that name. error messages test whether the xtables_addons are installed correctly

modprobe -c | grep x_tab

should display a long list of modules.

modprobe xt_geoip

Should succeed.

depmod -a

may also help to fix the issue.



Maxmind geoip

GeoIP based filtering with iptables

Linoxide: Block IP from countries using Geoip

Netfilter: geoip howto

Xtables-addons (source code)

Blocklist ipsets

How to install kernel headers

Linxu headers rpi from mhieenka
Solved: iptables & geoip

rpi-source wiki

Alternative: ipset usage (German)

Add comment


Spam comments are purged and not published. Review is done manually and therefore it usually takes between some hours and one day until a comment will be published.