2008
一:禁止所有1433端口
//建立一个名字叫BlockSQL的安全策略先
netsh ipsec static add policy name=BlockSQL
//建立一个ip筛选器
netsh ipsec static add filterlist name=DenyAllTcp1433
//禁止任何人访问1433端口
netsh ipsec static add filter filterlist=DenyAllTcp1433 srcaddr=Any dstaddr=Me dstport=1433 protocol=TCP
//建立一个筛选器操作
netsh ipsec static add filteraction name=DenyAct action=block
//加入规则到安全策略BlockSQL
netsh ipsec static add rule name=DenyAllTcp1433 policy=BlockSQL filterlist=DenyAllTcp1433 filteraction=DenyAct
//激活策略组
netsh ipsec static set policy name=BlockSQL assign=y
二、授权访问1433端口
//建立一个名字叫BlockSQL的安全策略先
netsh ipsec static add policy name=BlockSQL
//建立一个ip筛选器
netsh ipsec static add filterlist name=PASSTcp1433
//授权访问1433端口
netsh ipsec static add filter filterlist=PASSTcp1433 srcaddr=123.102.121.38 dstaddr=Me dstport=1433 protocol=TCP
//建立一个筛选器操作
netsh ipsec static add filteraction name=AllowAct action=permit
//加入规则到安全策略BlockSQL
netsh ipsec static add rule name=PASSTcp1433 policy=BlockSQL filterlist=PASSTcp1433 filteraction=AllowAct
//激活策略组
netsh ipsec static set policy name=BlockSQL assign=y
//拒绝所有1433:删除规则
netsh ipsec static delete rule name = Block1433 policy = BlockSQL
//拒绝所有1433:删除筛选器列表
netsh ipsec static delete filterlist name = DenyAllTcp1433
//拒绝所有1433:删除筛选器操作
netsh ipsec static delete filteraction name = DenyAct
//接受1433端口:删除规则
netsh ipsec static delete rule name = PASS1433 policy = BlockSQL
//接受1433端口:删除筛选器列表
netsh ipsec static delete filterlist name = PASSTcp1433
//接受1433端口:删除筛选器操作
netsh ipsec static delete filteraction name = AllowAct
//取消指派
netsh ipsec static set policy name=BlockSQL assign=n
//删除策略组
netsh ipsec static delete policy name=BlockSQL
//接受1433端口:删除筛选器列表中的记录
netsh ipsec static delete filter filterlist=PASSTcp1433 srcaddr=123.123.123.123 dstaddr=Me dstport=1433 protocol=TCP
//删除所有策略组
netsh ipsec static delete all
2003
IPsec (Internet Protocol security)
在命令行下,通过netsh ipsec static来配置IPSEC安全策略。前提是IPSEC服务已经打开。
一个IPSEC由一个或者多个规则组成;一个规则有一个IP筛选器列表和一个相应的筛选器操作组成;这个筛选器列表和筛选器可以是系统本身所没有的,如果没有则需要自行建立,而一个筛选器又由一个或多个筛选器组成,因此配置IPSEC的时候必须分步进行。规则由筛选器列表和筛选器操作构成。而且存放在策略里,策略器由策略器列表来存储,这样就决定了一个步骤:建立空的安全策略,建立筛选器列表,建立筛选器操作,这三步不需要特定的顺序,建立筛选器需要在空筛选器列表建立成以后;建立规则在上述三步骤完成之后。下面开始配置策略的新增,修改,删除、最重要的是激活;
更详细的资料请参考微软的技术资源库:
Netsh Commands for Internet Protocol Security (IPsec)
连接如下:http://technet.microsoft.com/zh-cn/cc725926
备注:注意连接里的 Netsh Commands for Windows Firewall with Advanced Security.连接,他给你的帮助会更大;
导出IPsec安全策略:Netsh ipsec static exportpolicy file = d:ExportSecurity.ipsec
导入IPsec安全策略:Netsh ipsec static importpolicy file = d:ImportSecurity.ipsec
1、建立一个新的策略
1.1首先建立一个空的安全策略[Michael’s安全策略]
Netsh ipsec static add policy name = Michael’s安全策略
1.2建立一个筛选器操作”阻止”
Netsh ipsec static add filteraction name = 阻止 action =block
1.3建立一个筛选器列表“可访问的终端列表”
Netsh ipsec static add filterlist name =可访问的终端列表
Netsh ipsec static add filter filterlist = 可访问的终端列表
srcaddr=203.86.32.248
dstaddr = me dstport = 3389
description = 部门1访问 protocol =TCP mirrored = yes
Netsh ipsec static add filter filterlist = 可访问的终端列表
Srcaddr = 203.86.31.0 srcmask=255.255.255.0
dstaddr = 60.190.145.9 dstport = 0
description = 部门2访问 protocol =any mirrored = yes
1.4建立策略规则
Netsh ipsec static add rule name =可访问的终端策略规则
Policy = Michael’s安全策略
filterlist =可访问的终端列表
filteraction = 阻止
2、修改策略
netsh ipsec static set filter filterlist = 可访问的终端列表
srcaddr = 220.207.31.249
dstaddr = Me dstport=3389 protocol=TCP
3、删除策略
netsh ipsec static delete rule name = 可访问的终端策略规则 policy = Michael’s安全策略
netsh ipsec static delete filterlist name = 可访问的终端列表
4、最最重要的一步是激活;
netsh ipsec static set policy name = Michael’s安全策略 assign = y
以下提供一个我自己写的实例:
echo 创建安全策略
Netsh IPsec static add policy name = APU安全策略
echo 创建筛选器是阻止的操作
Netsh IPsec static add filteraction name = 阻止 action = block
echo 创建筛选器是允许的操作
Netsh IPsec static add filteraction name = 允许 action = permit
echo 建立一个筛选器可以访问的终端列表
Netsh IPsec static add filterlist name = 可访问的终端列表
Netsh IPsec static add filter filterlist = 可访问的终端列表 srcaddr = 203.86.32.248 dstaddr = me dstport = 3389 description = 部门1访问 protocol = TCP mirrored = yes
echo 建立一个筛选器可以访问的终端列表
Netsh ipsec static add filter filterlist = 可访问的终端列表 Srcaddr = 203.86.31.0 srcmask=255.255.255.0 dstaddr = 60.190.145.9 dstport = 0 description = 部门2访问 protocol =any mirrored = yes
echo 建立策略规则
Netsh ipsec static add rule name = 可访问的终端策略规则 Policy = APU安全策略 filterlist = 可访问的终端列表 filteraction = 阻止
echo 激活策略
netsh ipsec static set policy name = APU安全策略 assign = y
pause
或者
Netsh ipsec static add policy name = 默认策略名称
pause
Netsh ipsec static add filteraction name = 阻止操作 action = block
pause
Netsh ipsec static add filteraction name = 允许操作 action = permit
pause
Netsh ipsec static add filterlist name = 访问列表
pause
Netsh ipsec static add filterlist name = 阻止列表
pause
Netsh ipsec static add filter filterlist = 访问列表1 srcaddr = 203.86.32.248 dstaddr = me dstport = 3389 description = 部门1访问 protocol = TCP mirrored = yes
pause
Netsh ipsec static add filter filterlist = 访问列表2 srcaddr = 203.86.31.0 srcmask = 255.255.255.0 dstaddr = 60.190.145.9 dstport = 0 description = 部门2访问 protocol = any mirrored = yes
pause
Netsh ipsec static add rule name = 可访问的终端策略规则 Policy = 默认策略名称 filterlist = 访问列表1 filteraction = 阻止操作
pause
Netsh ipsec static add rule name = 可访问的终端策略规则 Policy = 默认策略名称 filterlist = 访问列表2 filteraction = 阻止操作
pause
netsh ipsec static set policy name = 默认策略名称 assign = y
pause
[以下是转载未经过测试,百度上都可以找的到。]
REM =================开始================
netsh ipsec static ^
add policy name=bim
REM 添加2个动作,block和permit
netsh ipsec static ^
add filteraction name=Permit action=permit
netsh ipsec static ^
add filteraction name=Block action=block
REM 首先禁止所有访问
netsh ipsec static ^
add filterlist name=AllAccess
netsh ipsec static ^
add filter filterlist=AllAccess srcaddr=Me dstaddr=Any
netsh ipsec static ^
add rule name=BlockAllAccess policy=bim filterlist=AllAccess filteraction=Block
REM 开放某些IP无限制访问
netsh ipsec static ^
add filterlist name=UnLimitedIP
netsh ipsec static ^
add filter filterlist=UnLimitedIP srcaddr=61.128.128.67 dstaddr=Me
netsh ipsec static ^
add rule name=AllowUnLimitedIP policy=bim filterlist=UnLimitedIP filteraction=Permit
REM 开放某些端口
netsh ipsec static ^
add filterlist name=OpenSomePort
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static ^
add rule name=AllowOpenSomePort policy=bim filterlist=OpenSomePort filteraction=Permit
REM 开放某些ip可以访问某些端口
netsh ipsec static ^
add filterlist name=SomeIPSomePort
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=61.128.128.68 dstaddr=Me dstport=1433 protocol=TCP
netsh ipsec static ^
add rule name=AllowSomeIPSomePort policy=bim filterlist=SomeIPSomePort filteraction=Permit
java 操作:
package cn.edu;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.lang.InterruptedException;
/**
*
* @author kelvin
*
* 指定一个IP列表文件或IP地址,并将文件中所有对应的IP地址和端口号或指定的IP地址和端口号过滤
* 指令格式: IPFilter type [filename|IPAddr]
* type类型:-f表示文件
* -a表示IP地址
* IP地址格式: [IP]:[port] 或 [IP]
* eg: java IPFilter -f ip.txt
* java IPFilter -a 192.168.1.1:80
* java IPFilter -a 192.168.1.1
*/
public class IPFilter {
// [IP]:[port]正则表达式
private static final String IPADDRESS_PORT_PATTERN = "^([01]?dd?|2[0-4]d|25[0-5])."
+ "([01]?dd?|2[0-4]d|25[0-5])."
+ "([01]?dd?|2[0-4]d|25[0-5])."
+ "([01]?dd?|2[0-4]d|25[0-5]):([0-9]|[1-9]d{1,3}|[1-5]d{4}|6[0-4]d{3}|65[0-4]d{2}|655[0-2]d|6553[0-5])$";
// IP地址正则表达式
private static final String IPADDRESS_PATTERN = "^([01]?dd?|2[0-4]d|25[0-5])."
+ "([01]?dd?|2[0-4]d|25[0-5])."
+ "([01]?dd?|2[0-4]d|25[0-5])."
+ "([01]?dd?|2[0-4]d|25[0-5])$";
// 筛选器列表名称
private static final String FILTER_LIST_NAME = "denyip";
/**
* @param args
* @throws IOException, InterruptedException
*/
public static void main(String[] args) throws IOException, InterruptedException {
if (args.length != 2) {
printUsage();
return;
}
Pattern ip_port_pattern = Pattern.compile(IPADDRESS_PORT_PATTERN);
Pattern ip_pattern = Pattern.compile(IPADDRESS_PATTERN);
if (args[0].equals("-f")) {
File filterFile = null;
BufferedReader br = null;
String ipAddr = null;
try {
filterFile = new File(args[1]);
if(!filterFile.exists()) {
System.out.println(args[1]+"不存在");
return;
}
br = new BufferedReader(new FileReader(filterFile));
while ((ipAddr = br.readLine()) != null) {
if (ipAddr.length() <= 0)
continue;
if (ip_port_pattern.matcher(ipAddr).matches()) { // [IP]:[port]
String ipAddrDetail[] = ipAddr.split(":");
// 可保留前两个或后两个,也可以全写
// me -> [IP]:[port] TCP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr=me dstaddr="
+ ipAddrDetail[0]
+ " dstport="
+ ipAddrDetail[1]
+" protocol=TCP").waitFor();
// me -> [IP]:[port] UDP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr=me dstaddr="
+ ipAddrDetail[0]
+ " dstport="
+ ipAddrDetail[1]
+" protocol=UDP").waitFor();
// [IP]:[port] -> me TCP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr="
+ ipAddrDetail[0]
+" dstaddr=me srcport="
+ ipAddrDetail[1]
+ " protocol=TCP").waitFor();
// [IP]:[port] -> me UDP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr="
+ ipAddrDetail[0]
+" dstaddr=me srcport="
+ ipAddrDetail[1]
+ " protocol=TCP").waitFor();
System.out.println("已过滤" + ipAddr);
} else if(ip_pattern.matcher(ipAddr).matches()) {
// 保留其中一个即可,也可以全写
// me -> [IP]
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr=me dstaddr="
+ ipAddr
+ " protocol=ANY").waitFor();
// [IP] -> me
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr="
+ ipAddr
+" dstaddr=me protocol=ANY").waitFor();
System.out.println("已过滤" + ipAddr);
} else {
System.out.println(ipAddr + "不是合法的格式");
}
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (br != null) {
br.close();
br = null;
}
}
System.out.println("done!");
} else if (args[0].equals("-a")) {
if (ip_pattern.matcher(args[1]).matches()) {
// me -> [IP]
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME + " srcaddr=me dstaddr="
+ args[1]
+ " protocol=ANY").waitFor();
// [IP] -> me
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME + " srcaddr="
+ args[1]
+" dstaddr=me protocol=ANY").waitFor();
System.out.println("已过滤" + args[1]);
} else if(ip_port_pattern.matcher(args[1]).matches()) {
String ipAddrDetail[] = args[1].split(":");
// me -> [IP]:[port] TCP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr=me dstaddr="
+ ipAddrDetail[0]
+ " dstport="
+ ipAddrDetail[1]
+ " protocol=TCP").waitFor();
// me -> [IP]:[port] UDP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr=me dstaddr="
+ ipAddrDetail[0]
+ " dstport="
+ ipAddrDetail[1]
+ " protocol=UDP").waitFor();
// [IP]:[port] -> me UDP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr="
+ ipAddrDetail[0]
+" dstaddr=me"
+ " srcport="
+ ipAddrDetail[1]
+ " protocol=UDP").waitFor();
// [IP]:[port] -> me TCP
Runtime.getRuntime().exec(
"netsh ipsec static add filter filterlist="
+ FILTER_LIST_NAME
+ " srcaddr="
+ ipAddrDetail[0]
+" dstaddr=me"
+ " srcport="
+ ipAddrDetail[1]
+ " protocol=TCP").waitFor();
System.out.println("已过滤" + args[1]);
} else {
System.out.println(args[1] + "不是合法的格式");
}
} else {
printUsage();
}
}
static void printUsage() {
System.out.println("Usage:IPFilter type [filename|IPAddr]");
System.out.println("type: [-f | -a]");
System.out.println(" -f filename");
System.out.println(" -a IPAddr");
}
}