windows 设置ipsec防火墙

windows server 推荐使用ipsec修改防火墙设置,默认防火墙需要手动导入导出.wfw文件,需要手动添加单条规则,维护麻烦,推荐关闭,使用ipsec管理

以下是线上防火墙配置,可参照业务环境以及端口做对应修改
win+r:输入secpol.msc,回车打开防火墙配置

REM 删除所有旧的静态策略
netsh ipsec static del all

REM 创建一条策略
netsh ipsec static add policy name=Firewall

REM 添加一个阻挡 Action
netsh ipsec static add filteraction name=m_block action=block

REM 添加一个Action
netsh ipsec static add filteraction name=m_permit action=permit

REM 关闭所有端口
REM 添加一个过滤器,关联所有端口和IP
netsh ipsec static add filterlist name=all
netsh ipsec static add filter filterlist=all srcaddr=any dstaddr=any protocol=TCP
netsh ipsec static add filter filterlist=all srcaddr=any dstaddr=any protocol=UDP

REM 添加一条Rule,关闭所有端口
netsh ipsec static add rule name=B_all policy=Firewall filterlist=all filteraction=m_block

REM 放通3389
REM 添加一个过滤器,关联3389端口
netsh ipsec static add filterlist name=Intrannet_3389
netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=43.230.88.131 srcmask=32 dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=192.168.0.0 srcmask=16 dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=10.0.0.0 srcmask=8 dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=172.0.0.0 srcmask=8 dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static add filter filterlist=Intrannet_3389 srcaddr=me dstaddr=any dstport=3389 protocol=TCP

REM 添加一条Rule,放通3389端口
netsh ipsec static add rule name=P_3389 policy=Firewall filterlist=Intrannet_3389 filteraction=m_permit

REM 放通26333
REM 添加一个过滤器,关联26333端口
netsh ipsec static add filterlist name=Intrannet_26333
netsh ipsec static add filter filterlist=Intrannet_26333 srcaddr=43.230.88.131 srcmask=32 dstaddr=Me dstport=26333 protocol=TCP

REM 添加一条Rule,放通26333端口
netsh ipsec static add rule name=P_26333 policy=Firewall filterlist=Intrannet_26333 filteraction=m_permit

REM 放通IIS_Server
REM 添加一个过滤器,关联IIS_Server端口
netsh ipsec static add filterlist name=IIS_Server
netsh ipsec static add filter filterlist=IIS_Server srcaddr=any dstaddr=Me dstport=80 protocol=TCP
netsh ipsec static add filter filterlist=IIS_Server srcaddr=me dstaddr=any dstport=80 protocol=TCP
netsh ipsec static add filter filterlist=IIS_Server srcaddr=any dstaddr=Me dstport=443 protocol=TCP
netsh ipsec static add filter filterlist=IIS_Server srcaddr=me dstaddr=any dstport=443 protocol=TCP
netsh ipsec static add filter filterlist=IIS_Server srcaddr=me dstaddr=any dstport=2433 protocol=TCP

REM 添加一条Rule,放通IIS_Server端口
netsh ipsec static add rule name=P_IIS_Server policy=Firewall filterlist=IIS_Server filteraction=m_permit

REM 添加一个过滤器,关联SNMP_161端口
netsh ipsec static add filterlist name=SNMP_161
netsh ipsec static add filter filterlist=SNMP_161 srcaddr=43.230.88.131 srcmask=32 dstaddr=Me dstport=161 protocol=UDP
REM 添加一条Rule,放通161端口
netsh ipsec static add rule name=P_SNMP_161 policy=Firewall filterlist=SNMP_161 filteraction=m_permit

REM 放通Other
REM 添加一个过滤器,关联Other端口

netsh ipsec static add filter filterlist=Other srcaddr=Me dstaddr=DNS protocol=any
netsh ipsec static add filter filterlist=Other srcaddr=Me dstaddr=any dstport=123 protocol=UDP
netsh ipsec static add filter filterlist=Other srcaddr=any dstaddr=Me dstport=873 protocol=TCP
netsh ipsec static add filter filterlist=Other srcaddr=me dstaddr=any dstport=873 protocol=TCP
netsh ipsec static add filter filterlist=Other srcaddr=43.230.88.131 srcmask=32 dstaddr=me dstport=10050 protocol=tcp mirrored=yes description=Zabbix
netsh ipsec static add filter filterlist=Other srcaddr=me dstaddr=43.230.88.131 dstport=10051 protocol=tcp mirrored=yes description=Zabbix

REM 添加一条Rule,放通Other端口
netsh ipsec static add rule name=P_Other policy=Firewall filterlist=Other filteraction=m_permit

REM 使策略生效
netsh ipsec static set policy name=Firewall assign=y
REM ipsec配置成功
ipsec

 

posted @ 2017-03-20 12:10  noops  阅读(2625)  评论(0编辑  收藏  举报