#!/usr/bin/sh

INET_DEV=eth0

# default block list is small, consider maxlen i have used 
# maxelem 4194304 out of necessitity of the moment
# ideally, plan to add, grow, rotate your ipsets before running
# something like this

# a "starter" blocklist, nomninally for super-agressive spam-bots
# which I tend to notice and add by hand

ipset -exist create bot-bl hash:ip timeout 0

# install to prerouting rules of iptables "mangle" table 
# here we want to drop all packets sourced fromv a member of the set 

iptables -t mangle -A PREROUTING -i ${INET_DEV} -m set --match-set bot-bl src -j DROP

# Ignoring fail2ban and such, I have to remember/alias/bind a 
# command like this to use it:

# ipset add bot-bl 20.171.207.172