IPsec 是一個很有用的功能,以前在服務器端上用過,哪個時候常常都手動添加,量少還好,多了就會覺得繁瑣。
下面就來了解下基於CMD版本的IPsec
# 批處理小知識
bat腳本獲取管理員權限
@echo off %1 mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c %~s0 ::","","runas",1)(window.close)&&exit cd /d "%~dp0"
## CMD批處理添加IPsec
# 創建一個名字為“IPblock_list”的安全策略,並添加安全策略描述(policy )
netsh ipsec static add policy name=IPblock_list description="IP Block List"
# 創建篩選列表(filterlist)
example:
netsh ipsec static add filterlist name=denyAll
# 創建篩選器(filter)
篩選器的參數及含義如下:
標簽 值
filterlist -篩選器要添加到的篩選器列表的名稱。
srcaddr -源 ip 地址,dns 名稱或 server 類型。
dstaddr -目標 ip 地址,dns 名稱或 server 類型。
description -篩選器的簡短信息。
protocol -可以是 ANY,ICMP,TCP,UDP,RAW,或者一個整數。
mirrored -值為 yes 將創建兩個篩選器,每個方向一個。
srcmask -源地址掩碼或一個 1 到 32 的前綴。
dstmask -目標地址掩碼一個 1 到 32 的前綴。
srcport -數據包的源端口。值為 0 意味着任意端口。
dstport -數據包的目標端口。值為 0 意味着任意端口。
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=21 description="TCP21ftp"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=23 description="TCP23telnet"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=135 description="TCP135RPC"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=139 description="TCP139NetworkShare"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=445 description="TCP445SMB"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=UDP dstport=69 description="UDP69Tftp"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=UDP dstport=137 description="UDP137NetBIOS"
netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=UDP dstport=138 description="UDP138NetBIOS"
## 創建篩選器動作(filteraction)
創建篩選器動作的相關參數:
標簽 值
name -篩選器操作的名稱。
description -篩選器操作類別的簡短信息。
qmpfs -設置快速模式完全向前保密的選項。
inpass -接受不安全的通訊,但是總是用 IPSec響應。這接受 yes 或 no。
soft -允許與沒有 IPSec 的計算機進行不安全的通訊。可以是 yes 或 no。
action -可以是 permit,block 或 negotiate。
netsh ipsec static add filteraction name=allow action=permit
netsh ipsec static add filteraction name=deny action=block
# 添加一個規則(rule)
netsh ipsec static add rule name=deny policy=IPblock_list filterlist=denyAll filteraction=deny
# 指派安全策略(policy)
netsh ipsec static set policy name=IPblock_list assign=y
# 導出安全策略(policy)
netsh ipsec static exportpolicy c:\Loki.ipsec
# 把安全策略導入(policy)
netsh ipsec static importpolicy c:\Loki.ipsec
# 刪除所有IP安全策略(policy)
刪除IP安全策略中的所有的內容,包括所有的策略、規則、篩選器列表、篩選器、篩選器動作等。
netsh ipsec static del all
# 自己制作的IPsec 批處理 for Win11
@ echo off %1 %2 ver|find "5.">nul&&goto :Admin mshta vbscript:createobject("shell.application").shellexecute("%~s0","goto :Admin","","runas",1)(window.close)&goto :eof :: Author: Loki 20211012 beta1 :Admin echo setp. 1/7 Clean up and Back up other old IPsec netsh ipsec static exportpolicy c:\old_ipsec.ipsec netsh ipsec static del all cls echo setp. 2/7 Create policy netsh ipsec static add policy name=IPblock_list description="IP Block List for Loki 20211012" cls echo setp. 3/7 Create filterlist netsh ipsec static add filterlist name=denyAll cls echo setp. 4/7 Create filter TCP 21 23 135 139 445 UDP 69 137 138 netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=21 description="TCP21ftp" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=23 description="TCP23telnet" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=135 description="TCP135RPC" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=139 description="TCP139NetworkShare" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=TCP dstport=445 description="TCP445SMB" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=UDP dstport=69 description="UDP69Tftp" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=UDP dstport=137 description="UDP137NetBIOS" netsh ipsec static add filter filterlist=denyAll srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=me protocol=UDP dstport=138 description="UDP138NetBIOS" cls echo setp. 5/7 Create filteraction = deny netsh ipsec static add filteraction name=deny action=block cls echo setp. 6/7 Create rule netsh ipsec static add rule name=deny policy=IPblock_list filterlist=denyAll filteraction=deny cls echo setp. 7/7 Assign security policy netsh ipsec static set policy name=IPblock_list assign=y cls echo Congratulations! It's done @pause