Difference between revisions of "Installing xtables-addons on Raspbian"

From Tomelec
Jump to: navigation, search
(Final thoughts)
m (Get the xtables-addons source)
 
(3 intermediate revisions by the same user not shown)
Line 25: Line 25:
 
On the 9th of January 2014, with Raspbian kernel version 3.12.35+ and iptables version 1.4.14, I decided to go with xtables-addons version 2.5.
 
On the 9th of January 2014, with Raspbian kernel version 3.12.35+ and iptables version 1.4.14, I decided to go with xtables-addons version 2.5.
  
Download it from SourceForge. Then unpack it, configure it, make it, install it:
+
Download it from [http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/2.5/ SourceForge]. Then unpack it, configure it, make it, install it:
 
  <nowiki># in some nice location, eg. the home directory, do:
 
  <nowiki># in some nice location, eg. the home directory, do:
 
tar -xf xtables-addons-2.5.tar.xz
 
tar -xf xtables-addons-2.5.tar.xz
Line 37: Line 37:
 
You can disable unneeded modules by editing the file 'mconfig' and speed-up the process.
 
You can disable unneeded modules by editing the file 'mconfig' and speed-up the process.
  
 +
'''Or''' be lazy and use the pre-compiled modules for '''kernel 3.12.35+''': [http://tomelec.net/files/20150109_xtables-addons_raspbian_3.12.35+.tar.gz download]
  
 
==Download and build the geoip database==
 
==Download and build the geoip database==
Line 47: Line 48:
  
 
=Final thoughts=
 
=Final thoughts=
* Feel free to delete the leftovers of ''rpi-source'' (~/linux-xxxxxx.tar.gz). You might also want remove the xtables-addons build directory.
+
* Feel free to delete the leftovers of ''rpi-source'' (~/linux-....tar.gz). You might also want remove the xtables-addons build directory.
 
* There are no automated updates when using this method! If the kernel is updated, xtables-addons needs to be rebuilt and installed. Geoip database updates have to be done manually or via a custom cronjob.
 
* There are no automated updates when using this method! If the kernel is updated, xtables-addons needs to be rebuilt and installed. Geoip database updates have to be done manually or via a custom cronjob.
 
* Have fun with xtables-addons on your Pi!
 
* Have fun with xtables-addons on your Pi!

Latest revision as of 02:16, 18 January 2015

Why?

Annoyed by tons of SSH brutforce attacs, I was looking for a way to lock out connections coming from other countries than the desired ones. xtables-addons got the geoip module which enables us to use rules like

iptables -A INPUT -i wan -p tcp --dport 22 -m state --state NEW -m geoip ! --src-cc AT,DE -j GEOIP_BLOCK_LOG

This example would match on connections not originating from Austria (AT) or Germany (DE). I wanted to use it on a Raspberry Pi running Raspbian.

How?

Raspbian, a Debian based operating system for the Raspberry Pi, is a bit different to other Debian distributions when it comes to add kernel modules. The Kernel sources can not be installed using the packet manager but are downloaded and set up by a separate tool.


Getting the latest kernel and sources

  • Update to the latest kernel and firmware using the rpi-update script as described here.
  • Reboot the Pi
  • Download and install the kernel source using rpi-source, see rpi-source.


Install packets from the repository

sudo apt-get install libtext-csv-xs-perl geoip-database libgeoip1

Other tools might be required. Please tell me if anything is missing here.

Debain How To´s on that topic describe the use of module-assistant for making the kernel modules. I did not succeed using it on Raspbian!


Get the xtables-addons source

On the 9th of January 2014, with Raspbian kernel version 3.12.35+ and iptables version 1.4.14, I decided to go with xtables-addons version 2.5.

Download it from SourceForge. Then unpack it, configure it, make it, install it:

# in some nice location, eg. the home directory, do:
tar -xf xtables-addons-2.5.tar.xz
cd xtables-addons-2.5
./configure
make

# if everything went fine, install it:
sudo make install

You can disable unneeded modules by editing the file 'mconfig' and speed-up the process.

Or be lazy and use the pre-compiled modules for kernel 3.12.35+: download

Download and build the geoip database

As root (sudo -i):

mkdir /usr/share/xt_geoip
cd /usr/share/xt_geoip
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D . *.csv


Final thoughts

  • Feel free to delete the leftovers of rpi-source (~/linux-....tar.gz). You might also want remove the xtables-addons build directory.
  • There are no automated updates when using this method! If the kernel is updated, xtables-addons needs to be rebuilt and installed. Geoip database updates have to be done manually or via a custom cronjob.
  • Have fun with xtables-addons on your Pi!