How to Blacklist an Entire AS with Shorewall

AS stands for Autonomous System and is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators (or Internet Service Providers, ISP). In this article, I offer an example of preventing any connection attempts from the whole set of IPv4 IP addresses assigned to the French ISP OVH using Shorewall.
OVH has kept the unenviable record of figuring in the top 10 worst ISPs for a number of years, now. By worst, I mean that despite their recent marketing campaign, they still occupy the sixth position in the Spamhaus worst spam supporters report.
As far as IPv4 is concerned, OVH has been assigned AS16276 which, in turn, corresponds to this list of addresses.
To effectively ban OVH from your boxes, all you have to do is download the list and add it to your /etc/shorewall/blrules file, like this:

#Ban the whole OVH IPv4 network
DROP net:103.5.12.0/22 all
DROP net:107.189.64.0/18 all
DROP net:137.74.0.0/16 all
...

Then save the file and restart shorewall:

# systemctl restart shorewall

Et voilà: no more spam or brute-force attacks from OVH. The same can be accomplished with IPv6 addresses.