1.规则说明
IP安全策略:由一条条规则组成,而这些规则是由2部分组成的。
首先要建立一个ip筛选器(用来指定那些地址),然后是筛选器操作(用来指定对这些ip的操作,就是动作),最后再激活(指派)。
下面用实例来说明,然后附带一些常用的。这个例子就是不允许ip为192.168.1.2的机器访问我的3389端口。'后面是注析'建立一个名字叫XBLUE的安全策略先
netsh ipsec static add policy name=XBLUE
'建立一个ip筛选器,指定192.168.1.2
netsh ipsec static add filterlist name=denyip
netsh ipsec static add filter filterlist=denyip srcaddr=192.168.1.2 dstaddr=Me dstport=3389 protocol=TCP
'建立一个筛选器操作
netsh ipsec static add filteraction name=denyact action=block
'加入规则到安全策略XBLUE
netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip filteraction=denyact
'激活这个策略
netsh ipsec static set policy name=XBLUE assign=y
把安全策略导出
netsh ipsec static exportpolicy d:\ip.ipsec
删除所有安全策略
netsh ipsec static del all
把安全策略导入
netsh ipsec static importpolicy d:\ip.ipsec
激活这个策略
netsh ipsec static set policy name=策略名称 assign=y
入侵灵活运用
得到了61.90.227.136的sa权限。不过有策略限制,访问不到他的3389。我想用他的3389。
netsh ipsec static add filterlist name=welcomexblue
netsh ipsec static add filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=Me dstport=7892 protocol=TCP
netsh ipsec static add rule name=letxblue policy=ConnRest filterlist=welcomexblue filteraction=Permit
访问结果
可以访问了。
netsh ipsec static del rule name=letxblue policy=ConnRest
更改
netsh ipsec static set filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=Me dstport=3389 protocol=TCP
删除
netsh ipsec static del rule name=letxblue policy=ConnRest
netsh ipsec static del filterlist name=welcomexblue
2.代码示例
代码
REM =================开始================
rem 把安全策略导出 备份
netsh ipsec static exportpolicy c:\ip.ipsec
rem 删除所有安全策略
netsh ipsec static del all
rem 策略名称
netsh ipsec static ^
add policy name=WebIPS
REM 添加2个动作,block和permit
netsh ipsec static ^
add filteraction name=Permit action=permit
netsh ipsec static ^
add filteraction name=Block action=block
REM 首先禁止所有访问
netsh ipsec static ^
add filterlist name=AllAccess
netsh ipsec static ^
add filter filterlist=AllAccess srcaddr=Me dstaddr=Any
netsh ipsec static ^
add rule name=BlockAllAccess policy=WebIPS filterlist=AllAccess filteraction=Block
REM 开放某些IP无限制访问
netsh ipsec static ^
add filterlist name=UnLimitedIP
netsh ipsec static ^
add filter filterlist=UnLimitedIP srcaddr=58.221.246.25 dstaddr=Me
netsh ipsec static ^
add rule name=AllowUnLimitedIP policy=WebIPS filterlist=UnLimitedIP filteraction=Permit
REM 开放某些端口
netsh ipsec static ^
add filterlist name=OpenSomePort
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=10000 protocol=TCP
netsh ipsec static ^
add rule name=AllowOpenSomePort policy=WebIPS filterlist=OpenSomePort filteraction=Permit
REM 开放某些ip可以访问某些端口
netsh ipsec static ^
add filterlist name=SomeIPSomePort
rem 开80
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP
rem 开支付宝
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=443 protocol=TCP
rem 开数据库
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=58.221.246.25 dstaddr=Me dstport=1433 protocol=TCP
rem 开3389
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=58.221.246.25 dstaddr=Me dstport=3389 protocol=TCP
rem 开10000
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=58.221.246.25 dstaddr=Me dstport=1000 protocol=TCP
rem 绑定到策略
netsh ipsec static ^
add rule name=AllowSomeIPSomePort policy=WebIPS filterlist=SomeIPSomePort filteraction=Permit
rem 激活策略
netsh ipsec static set policy name=WebIPS assign=y
rem 把安全策略导出 备份
netsh ipsec static exportpolicy c:\ip.ipsec
rem 删除所有安全策略
netsh ipsec static del all
rem 策略名称
netsh ipsec static ^
add policy name=WebIPS
REM 添加2个动作,block和permit
netsh ipsec static ^
add filteraction name=Permit action=permit
netsh ipsec static ^
add filteraction name=Block action=block
REM 首先禁止所有访问
netsh ipsec static ^
add filterlist name=AllAccess
netsh ipsec static ^
add filter filterlist=AllAccess srcaddr=Me dstaddr=Any
netsh ipsec static ^
add rule name=BlockAllAccess policy=WebIPS filterlist=AllAccess filteraction=Block
REM 开放某些IP无限制访问
netsh ipsec static ^
add filterlist name=UnLimitedIP
netsh ipsec static ^
add filter filterlist=UnLimitedIP srcaddr=58.221.246.25 dstaddr=Me
netsh ipsec static ^
add rule name=AllowUnLimitedIP policy=WebIPS filterlist=UnLimitedIP filteraction=Permit
REM 开放某些端口
netsh ipsec static ^
add filterlist name=OpenSomePort
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=10000 protocol=TCP
netsh ipsec static ^
add rule name=AllowOpenSomePort policy=WebIPS filterlist=OpenSomePort filteraction=Permit
REM 开放某些ip可以访问某些端口
netsh ipsec static ^
add filterlist name=SomeIPSomePort
rem 开80
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP
rem 开支付宝
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=443 protocol=TCP
rem 开数据库
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=58.221.246.25 dstaddr=Me dstport=1433 protocol=TCP
rem 开3389
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=58.221.246.25 dstaddr=Me dstport=3389 protocol=TCP
rem 开10000
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=58.221.246.25 dstaddr=Me dstport=1000 protocol=TCP
rem 绑定到策略
netsh ipsec static ^
add rule name=AllowSomeIPSomePort policy=WebIPS filterlist=SomeIPSomePort filteraction=Permit
rem 激活策略
netsh ipsec static set policy name=WebIPS assign=y
用心对待身边的一切,一切皆有可能!
