I have got this working in production so I know this works, the trick to make it persistent is the following:
- Create an ipset with the following 2 commands:
ipset -N blockips
ipset create blockips hash:net family inet hashsize 16384 maxelem 65536
- Add the following in the /etc/shorewall/blrules file
#ACTION SOURCE DEST PROTO DPORT
DROP net:+blockips fw
-
At the end of the script, do the following:
3.1) Save all of the IP addresses into a text file.
3.2) Add each IP address in the file into the IPSet. Example code:
while read line; do
ipset -A -exist blockips $line
done < '/root/blacklist/blacklisthitstmp3’
3.3) Save the IPSet. Example code:
ipset -S > /etc/shorewall/ipsets -
Create the /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/60options file with the following in it:
BLACKLIST=“ALL”
Got a lot of this out of a previous discussion on a topic similar to this located at Linking IPset into Shorewall. I suspect that I have missed one or two minor commands to complete this, but this should get you 98% of the way there. If I remember what I have missed out, I will post it here.