From db3f39c8f64a717845730f00e56ae8670dd18c64 Mon Sep 17 00:00:00 2001
From: corwin <corwin@bru.st>
Date: Tue, 20 May 2025 01:52:45 +0200
Subject: [PATCH] add starter ipset+iptables firewall

Very, very basic.  Sourced entire from manual pages, other's "word of mouth" advices, and successful hackery on others' systems (none of whom implied individuals or groups should be blamed for errors, etc.).  Thanks in advance for comments and suggestions.   Erm.. issues and patches welcome?
---
 init-bot-bl-ipset-and-iptable-rule.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 init-bot-bl-ipset-and-iptable-rule.sh

diff --git a/init-bot-bl-ipset-and-iptable-rule.sh b/init-bot-bl-ipset-and-iptable-rule.sh
new file mode 100644
index 0000000..99666d1
--- /dev/null
+++ b/init-bot-bl-ipset-and-iptable-rule.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/sh
+
+INET_DEV=eth0
+
+# default block list is small, consider maxlen i have used 
+# maxelem 4194304 out of necessitity of the moment
+# ideally, plan to add, grow, rotate your ipsets before running
+# something like this
+
+# a "starter" blocklist, nomninally for super-agressive spam-bots
+# which I tend to notice and add by hand
+
+ipset -exist create bot-bl hash:ip timeout 0
+
+# install to prerouting rules of iptables "mangle" table 
+# here we want to drop all packets sourced fromv a member of the set 
+
+iptables -t mangle -A PREROUTING -i ${INET_DEV} -m set --match-set bot-bl src -j DROP
+
+# Ignoring fail2ban and such, I have to remember/alias/bind a 
+# command like this to use it:
+
+# ipset add bot-bl 20.171.207.172
\ No newline at end of file