IPSETCMD-NG command line manage utility ipset/iptables from drivers

IPSETCMD-NG is command line utility, for fast manage ipset/iptables from shell. Designed to manage tables, add or delete IP addresses through the built-in drivers pack of IPSET-NG package. Configuration is automatically selected depending on the installed program supports ipsted-ng or sensor-ng configuration files only.
Can also work with your own configuration file ipsetcmd-ng.conf. The program looks for configuration files in the following paths:

    /etc, /etc/ipset-ng, /usr/local/etc, /usr/local/etc/ipset-ng, ~'home directory'

Mode of operation depends on the driver settings described in the configuration file, support following driver:

  • Driver ipset - main ipset/iptables full features driver
  • Driver ipt46 - iptables v4 & v6 mode, only ip tables driver, no any database used
  • Driver DBI - DBI database/iptables driver
  • Driver MySQL - MySQL database/iptables driver
  • Driver Sqlite - Sqlite v3 database/iptables driver
  • iptables - IPV4 and IPV6 built-in in driver ipset, DBI, MySQL, Sqlite v3, manage direct to kernel mode, and ipset driver, only the creation of rules for newly created tables, or delete.

Possible to determine the name of the driver from the command line using the key -d. Thus, the local parameters must be customized driver in the configuration file.
Available drivers can be determined by calling the program with a key -p, example:


        /usr/bin/ipsetcmd-ng -p
        ...
        config -> Driver -> available drivers in directory /usr/lib/ipsetng: ipset, ipt46, mysql, dbi, sqlite3
        ...
        /usr/bin/ipsetcmd-ng -d sqlite3 ...


This utility supports the work with tables and IP addresses according to the general logic of the package. Distinctive capabilities:

  • Table
    • support AutoTable and Standalone table mode in ipset/iptables driver
    • support create, destroy and flush table/chain command in all mode, include no-driver direct kernel iptables mode
    • support no-driver direct kernel iptables mode, required own configuration file with the same name
  • IP address
    • support add, delete and test command in all drivers, exclude command test in no-driver direct kernel iptables mode
    • export all fields in iptables chain support

After managing utility returns one of the following values:

  • 20 - IP address is verified, there is no block
  • 40 - IP address checking is blocked
  • 50 - error communicating with the server
  • 0 - lacks the basic parameters, the program goes to show online help
  • 1 - system error, see the latest program posts

To reduce the command line parameters using environment variables, they are set to ksh shell - export command team, they are set to csh shell - setenv command team.
Priority configuration source selector next: command line -> environment variables -> configuration file.
As examples of the use of available files in a directory <ipset-ng-src-dir>/misc/*.sh

Update JBL - JSON Black List from Internet source

To update the latest database blacklists, you can take advantage of running the IPSETCMD-NG with a -u key.
Valid value to update base:

  • blackip4 - update IP v4 address blacklist database
  • blackip6 - update IP v6 address blacklist database
  • blacklog - update IP v4 address log matched database
  • blackproxy - update IP v4 address open proxy database
  • blacknet - update IP v4 network blacklist database

The update process is automatic and does not require participation. Of the table described in the source if there is no will be created, so the same drivers for ipset and all support iptables will create links in the respective tables/chains.

Update JBL - JSON Black List from file source

Easy start

Example of shell script and related files:


    #!/bin/bash
    # name of script: ipsng-update.sh

    # STEP 1, if used ipset driver, otherwise skip
    /usr/bin/ipsetcmd-ng -c create -b blacklist -t black -l list:set

    # STEP 2
    /usr/bin/ipsetcmd-ng -u blackip4
    /usr/bin/ipsetcmd-ng -u blackip6
    /usr/bin/ipsetcmd-ng -u blacklog
    /usr/bin/ipsetcmd-ng -u blacknet
    /usr/bin/ipsetcmd-ng -u blackproxy

    # STEP 3
    # file: crontab.set
    45 0 * * * /usr/bin/ipsng-update.sh

    # STEP 4
    # crontab command:
    crontab ./crontab.set
    crontab -l


Built-in network tools

IPSETCMD-NG included in the following useful features that will help you ease the administration firewall and network management:

  • IP calculator - calculate network start and end address, broadcast, prefix and netmask. Require <network address>/netmask or <network address>/prefix
  • WhoIs client - show WhoIs queries to handle IP addresses
* `IP calculator` - calculate network start and end address, broadcast, prefix and netmask. Require `/netmask` or `/prefix` * `WhoIs client` - show WhoIs queries to handle IP addresses
Command line options:
-d, --driver=<arg> manual select driver name
-f, --family=<arg> select default family ipv protocol: ipv4 or ipv6
-c, --cmd=<arg> ip address command to ipset proccess: test | add | del
-c, --cmd=<arg> table command to ipset proccess: create | flush | destroy
-b, --tbl=<arg> name of ipset table
-t, --type=<arg> type of ipset table: white | black
-i, --ip=<arg> ip address to proccess: 1.2.3.4
-n, --net=<arg> network addresses to proccess: 1.2.3.0/24
-j, --addtbl=<arg> table name to 'master table' proccess, master is type [list:set]
-m, --timeout=<arg> timeout to ip address in ipset table
-u, --update=<arg> update black list from Internet source, valid base name: blackip4 | blackip6 | blacklog | blackproxy | blacknet
-s, --source=<arg> update from file source, valid format: JSON-BL | ipset style, valid file extension: *.ips | *.txt | *.jbl | *.json | *.gz | *.bz2 | *.zip
-k, --ipcalc=<arg> calculate network address, require <network address>/netmask or <network address>/prefix
-w, --whois=<arg> show WhoIs queries to handle IP addresses, require IP address
-v, --view view verbose result for test purpose
-q, --quiet quiet output screen mode
-p, --conf print current driver configuration loaded
-e, --env display environment help
-h, --help display this help
Examples command line string:

        # Example test IP address '3.4.5.6' is type 'black' in table 'blacklist'
        /usr/bin/ipsetcmd-ng -c test -i 3.4.5.6 -t black -b blacklist -v

        # Example add network '3.4.5.0/28' is type 'black' to table 'blknetlist'
        /usr/bin/ipsetcmd-ng -c add -n 3.4.5.0/28 -t black -b blknetlist -v

        # Example create table 'tablename' is type 'black', table hash is 'hash:ip', family 'ipv4' and timeout is '3600'
        /usr/bin/ipsetcmd-ng -c create -b tablename -t black -l hash:ip -f ipv4 -m 3600 -v

        # Example add table 'tablename' to master table is type list:set
        /usr/bin/ipsetcmd-ng -c add -j tablename -b whitelist -t white -f ipv4 -v

        # Example delete table 'tablename' from master table is type list:set
        /usr/bin/ipsetcmd-ng -c delete -j tablename -b whitelist -t white -f ipv4 -v

        # Example delete from master table and destroy table 'tablename' is type 'black'
        /usr/bin/ipsetcmd-ng -c destroy -b tablename -t black -v

        # Example update black list base from Internet
        /usr/bin/ipsetcmd-ng -u blackproxy

        # Example update black list base from file source .json
        /usr/bin/ipsetcmd-ng -s /tmp/blackproxy.json

        # Example update black list base from gzip compression file source
        /usr/bin/ipsetcmd-ng -s /tmp/blackproxy.json.gz

        # Example update black list base from bzip2 compression file source
        /usr/bin/ipsetcmd-ng -s /tmp/blacklist.bz2


Environment set command and options:
NG_IPSETCMD_driver manual defined driver name
NG_IPSETCMD_family select default family ipv protocol: ipv4 or ipv6
NG_IPSETCMD_timeout timeout to ip address in ipset table
NG_IPSETCMD_type type of ipset table: white | black
NG_IPSETCMD_hash type of ipset table hash: hash:ip | hash:net | bitmap:ip | list:set
Example ksh:
        export NG_IPSETCMD_driver="ipset"
        export NG_IPSETCMD_family="ipv4"
        export NG_IPSETCMD_timeout="3600"
Example csh:
        setenv NG_IPSETCMD_driver="ipset"
        setenv NG_IPSETCMD_family="ipv4"
        setenv NG_IPSETCMD_timeout="3600"
Example configuration file ipsetcmd-ng.conf:


        [protocol]
        #  default create table protocol family: ipv4, ipv6
        version=ipv4

        [driver]
        # path to dynamic driver directory
        # create automaticaly from make, default: '/usr/lib/ipsetng'
        path = /usr/lib/ipsetng

        # name of use driver, explore: /usr/lib/ipsetng/drv-<name>-ng.so
        name = ipset

        # WARNING: this iptables setting can be used in all drivers except the driver ipset
        # enable iptables add or delete direct to kernel
        iptenable = yes

        # chain of iptables
        iptchain = INPUT

        # table of iptables
        ipttable = filter

        # target of iptables
        iptrule =  DROP

        # method for adding to table: insert | append
        iptmethod = append

        # ipset diver
        [drv-ipset]

        # ipset driver - white and black lists, only list
        # in type 'list:set', if you use another type, not set
        # if defined, AutoTable mode enabled
        whitelist = whitelist
        blacklist = blacklist


        # SQL Lite 3 diver
        [drv-sqlite3]

        # path & file data base
        dbase = /path/myipdb.db

        # path & file to exec on add or delete ip address
        exec = /path/to/file.sh

        # MySQL diver
        [drv-mysql]


        # mysql port
        port = 33306

        # mysql host
        host = localhost

        # mysql login
        login = root

        # mysql password
        pass = 12345

        # data base name, if not specific, create 'test'
        dbase = myipdb

        # mysql socket
        socket = ./mysql.sock

        # path & file to exec on add or delete ip address
        exec = /path/to/file.sh

        # DBI diver
        [drv-dbi]

        # type dbi driver: any compiled of you system
        # DBI Support drivers:
        # MySQL, PostgreSQL, SQLite3, DB2, Ingres, mSQL,
        # Oracle, Firebird/Interbase,
        # FreeTDS (provides access to MS SQL Server and Sybase)
        dbitype = mysql

        # port
        port = 33306

        # host
        host = localhost

        # login
        login = root

        # password
        pass = 12345

        # data base name, if not specific, create 'test'
        dbase = myipdb

        # socket
        socket = ./dbi.socket

        # path & file to exec on add or delete ip address
        exec = /path/to/file.sh



  Meta Tags: IPSETCMD-NG manage utility