sys-misc/init-bot-bl-ipset-and-iptable-rule.sh

#!/usr/bin/sh

INET_DEV=eth0

# default block list is small, consider maxlen i have used 
# maxelem 4194304 out of necessitity of the moment
# ideally, plan to add, grow, rotate your ipsets before running
# something like this

# a "starter" blocklist, nomninally for super-agressive spam-bots
# which I tend to notice and add by hand

ipset -exist create bot-bl hash:ip timeout 0

# install to prerouting rules of iptables "mangle" table 
# here we want to drop all packets sourced fromv a member of the set 

iptables -t mangle -A PREROUTING -i ${INET_DEV} -m set --match-set bot-bl src -j DROP

# Ignoring fail2ban and such, I have to remember/alias/bind a 
# command like this to use it:

# ipset add bot-bl 20.171.207.172
add starter ipset+iptables firewall Very, very basic. Sourced entire from manual pages, other's "word of mouth" advices, and successful hackery on others' systems (none of whom implied individuals or groups should be blamed for errors, etc.). Thanks in advance for comments and suggestions. Erm.. issues and patches welcome? 2025-05-20 01:52:45 +02:00			`#!/usr/bin/sh`

			`INET_DEV=eth0`

			`# default block list is small, consider maxlen i have used`
			`# maxelem 4194304 out of necessitity of the moment`
			`# ideally, plan to add, grow, rotate your ipsets before running`
			`# something like this`

			`# a "starter" blocklist, nomninally for super-agressive spam-bots`
			`# which I tend to notice and add by hand`

			`ipset -exist create bot-bl hash:ip timeout 0`

			`# install to prerouting rules of iptables "mangle" table`
			`# here we want to drop all packets sourced fromv a member of the set`

			`iptables -t mangle -A PREROUTING -i ${INET_DEV} -m set --match-set bot-bl src -j DROP`

			`# Ignoring fail2ban and such, I have to remember/alias/bind a`
			`# command like this to use it:`

			`# ipset add bot-bl 20.171.207.172`