数码产品

使用命令行IPSec封锁端口

WIN2003下直接就是netsh IPSEC命令,XP系统用ipseccmd,2000下用ipsecpol,常用的参数如下:
     -w reg 表明将配置写入注册表,重启后仍有效。
  -p 指定策略名称,如果名称存在,则将该规则加入此策略,否则创建一个。
  -r 指定规则名称。
  -n 指定操作,可以是BLOCK、PASS或者INPASS,必须大写。
  -x 激活该策略。
  -y 使之无效。
  -o 删除-p指定的策略。
  其中最关键的是-f。它用来设置你的过滤规则,格式为
  A.B.C.Dmaskport=A.B.C.Dmaskportprotocol。其中=前面的是源地址,后面是目的地址。如果使用+,则表明此规则是双向的。IP地址中用*代表任何IP地址,0代表我自己的IP地址。还可以使用通配符,比如144.92.. 等效于 144.92.0.0255.255.0.0。使用ipseccmd 可以获得它的帮助。
  如果希望将规则删除,需要先使用-y使之无效,否则删除后它还会持续一段时间。


myipsec2003.bat:
rem 添加安全策略名称
netsh ipsec static add policy name=我的安全策略

rem 添加 IP筛选器列表
netsh ipsec static add filterlist name=允许列表
netsh ipsec static add filterlist name=拒绝列表

rem 添加筛选器到IP筛选器列表(允许上网成功)
netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=web访问 protocol=tcp mirrored=yes dstport=80
netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=dns访问 protocol=tcp mirrored=yes dstport=53
netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yes dstport=53
rem 共享别机打印成功
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=tcp mirrored=yes dstport=139
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=udp mirrored=yes dstport=138
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=udp mirrored=yes dstport=137
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=tcp mirrored=yes dstport=445
rem 服务器
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=tcp mirrored=yes dstport=139
  netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=udp mirrored=yes dstport=138
  netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=udp mirrored=yes dstport=137
  netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=tcp mirrored=yes dstport=445
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=tcp mirrored=yes dstport=139
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=udp mirrored=yes dstport=138
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=udp mirrored=yes dstport=137
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=tcp mirrored=yes dstport=445
  netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=tcp mirrored=yes dstport=139
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=udp mirrored=yes dstport=138
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=udp mirrored=yes dstport=137
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=tcp mirrored=yes dstport=445
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=tcp mirrored=yes dstport=139
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=udp mirrored=yes dstport=138
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=udp mirrored=yes dstport=137
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=tcp mirrored=yes dstport=445
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=tcp mirrored=yes dstport=139
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=udp mirrored=yes dstport=138
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=udp mirrored=yes dstport=137
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=tcp mirrored=yes dstport=445

 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=tcp mirrored=yes dstport=139
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=138
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=137
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=tcp mirrored=yes dstport=445
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=445

  netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=ping访问 protocol=ICMP mirrored=yes
 
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=sybase访问 protocol=tcp mirrored=yes dstport=5000
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=dameware protocol=tcp mirrored=yes dstport=6129
 netsh ipsec static add filter filterlist=允许列表  srcaddr=any dstaddr=me description=remotelyanywhere protocol=tcp mirrored=yes dstport=2000
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=pcanywhere protocol=tcp mirrored=yes dstport=5631
 netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=pcanywhere protocol=udp mirrored=yes dstport=5632

rem 添加筛选器到IP筛选器列表(不让别人访问)
 netsh ipsec static add filter filterlist=拒绝列表  srcaddr=any dstaddr=me description=别人到我任何访问 protocol=any mirrored=yes
 netsh ipsec static add filter filterlist=拒绝列表  srcaddr=me dstaddr=any description=我到任何访问 protocol=any mirrored=yes

rem 添加筛选器操作
netsh ipsec static add filteraction name=可以  action=permit
netsh ipsec static add filteraction name=不可以  action=block


rem 创建一个链接指定 IPSec 策略、筛选器列表和筛选器操作的规则(加入规则到我的安全策略)
netsh ipsec static add rule name=允许规则  policy=我的安全策略 filterlist=允许列表 filteraction=可以
netsh ipsec static add rule name=拒绝规则  policy=我的安全策略 filterlist=拒绝列表 filteraction=不可以

rem 激活我的安全策略
netsh ipsec static set policy name=我的安全策略 assign=y

rem 总结一下,策略policy(规则rule(筛选器列表filterlist(筛选器filter))—筛选器操作filteraction)
rem netsh ipsec static delete policy name=我的安全策略
rem netsh ipsec static delete policy all
rem netsh ipsec static show policy all
rem netsh firewall delete portopening TCP 2000

myipsecdel.bat:
netsh ipsec static delete policy name=我的安全策略
rem netsh ipsec static delete policy all


winxpipsec.bat:

rem 设置策略名称及策略中包括的规则详细内容

ipseccmd -w REG -p "Block default ports" -y
ipseccmd -w REG -p "Block default ports" -o
ipseccmd -w REG -p "Block default ports" -r "Block all" -f 0+* -n BLOCK

rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/123" -f *+0:123:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK

ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:445:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:445:TCP -n PASS

rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:137:UDP -n PASS
rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:138:UDP -n PASS
rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:139:tcp -n PASS

 

ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:445:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:445:TCP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:137:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:138:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:139:tcp -n PASS

ipseccmd -w REG -p "Block default ports" -r "allow sqlserver" -f 0+*:1433:tcp -n PASS

ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5000:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5001:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5002:tcp -n PASS


ipseccmd -w REG -p "Block default ports" -r "allow dameware" -f 200.200.200.106+0:6129:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow pcanywhere" -f 200.200.200.106+0:5631:tcp -n PASS

ipseccmd -w REG -p "Block default ports" -r "allow firebird" -f 0+*:211:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow firebird" -f 0+*:3050:tcp -n PASS

ipseccmd -w REG -p "Block default ports" -r "allow ping" -f *+*::ICMP -n PASS
ipseccmd -w REG -p "Block default ports" -x
rem 激活此策略

winxpipsec_del.bat:
rem 不指派,第一条先不指派此策略,第二条再删除此策略
ipseccmd -w REG -p "Block default ports" -y
ipseccmd -w REG -p "Block default ports" -o

win2000ipsec.bat:

rem 设置策略名称及策略中包括的规则详细内容

rem ipsecpol -w REG -p "Block default ports" -y
rem ipsecpol -w REG -p "Block default ports" -o
ipsecpol -w REG -p "Block default ports" -r "Block all" -f 0+* -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/123" -f *+0:123:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK

 

rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/137" -f *+0:137:UDP -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/138" -f *+0:138:UDP -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/139" -f *+0:139:UDP -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow tcp/139" -f *+0:139:tcp -n PASS

ipsecpol -w REG -p "Block default ports" -r "allow tcP/445" -f *+0:445:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow UDP/445" -f *+0:445:udp -n PASS

rem ipsecpol -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5000:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sybase" -f *+0:5000:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sybase sqlserver5001" -f *+0:5001:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sybase sqlserver5002" -f *+0:5002:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sqlserver" -f *+0:1433:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow pcanywhere tcp" -f 200.200.200.106+0:5631:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow pcanywhere udp" -f 200.200.200.106+0:5632:udp -n PASS

ipsecpol -w REG -p "Block default ports" -r "allow dameware" -f 200.200.200.106+0:6129:tcp -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow firebird" -f 0+*:211:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow firebird211" -f *+0:211:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow firebird3050" -f *+0:3050:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow ping" -f 0+*::ICMP -n PASS
ipsecpol -w REG -p "Block default ports" -x
rem 激活此策略


 win2000ipsec_del.bat:
 rem 不指派,第一条先不指派此策略,第二条再删除此策略
ipsecpol -w REG -p "Block default ports" -y
ipsecpol -w REG -p "Block default ports" -o

posted @ 2020-03-12 08:48  Hackerman  阅读(947)  评论(0编辑  收藏  举报
数码产品