新随笔  :: 管理

windonws系统利用netsh-ipsec搭建你的防火墙

Posted on 2020-03-17 17:05  SliverLee  阅读(428)  评论(0)    收藏  举报

netsh是一个非常强大的、命令行的网络配置工具。它可以进行网卡配置、防火墙配置、IP安全策略等配置。比如我们如果想是想对精确控制某个IP对本机某个端口的访问,完全可以通过配置本地的IPSec来实现。

 

配置ipsec策略一般有五个步骤:

【1】创建策略。
【2】创建过滤器。
【3】创建过滤动作。
【4】创建规则(封装策略)。
【5】启用和关闭策略。

-------------------------------------------------------------------------------------------

  实现ipsec的配置,既可以通过windows自带的图形界面操作,也可以通过命令行操作,对于开发人员来说,要想在自己的程序中使用IPSec,肯定更关心的是命令行下的配置方式。

--------------------------------------------------------------------------------------------------------------------------------

 


rem 添加安全策略名称
netsh ipsec static add policy name=Wall
rem 添加 IP筛选器列表
netsh ipsec static add filterlist name=ALLowWall
netsh ipsec static add filterlist name=DenyWall

rem 添加筛选器到IP筛选器列表(允许上网成功)
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=web protocol=tcp mirrored=yes dstport=80
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=dns protocol=tcp mirrored=yes dstport=53
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=dns protocol=udp mirrored=yes dstport=53
rem Server
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=192.168.148.1 description=Server protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=192.168.148.1 description=Server protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=192.168.148.1 description=Server protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=192.168.148.1 description=Server protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=192.168.148.1 description=Server protocol=udp mirrored=yes dstport=445

REM netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=ping protocol=ICMP mirrored=yes

netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=sybase protocol=tcp mirrored=yes dstport=5000
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=dameware protocol=tcp mirrored=yes dstport=6129
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=any dstaddr=me description=remotelyanywhere protocol=tcp mirrored=yes dstport=2000
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=pcanywhere protocol=tcp mirrored=yes dstport=5631
netsh ipsec static add filter filterlist=ALLowWall  srcaddr=me dstaddr=any description=pcanywhere protocol=udp mirrored=yes dstport=5632

rem 添加筛选器到IP筛选器列表(不让别人访问)
netsh ipsec static add filter filterlist=DenyWall  srcaddr=any dstaddr=me description=anyTome protocol=any mirrored=yes
netsh ipsec static add filter filterlist=DenyWall  srcaddr=me dstaddr=any description=meOut protocol=any mirrored=yes

rem 添加筛选器操作
netsh ipsec static add filteraction name=ALLowAction  action=permit
netsh ipsec static add filteraction name=DenyAction  action=block
rem 创建一个链接指定 IPSec 策略、筛选器列表和筛选器操作的规则(加入规则到我的安全策略)
netsh ipsec static add rule name=ALLowRule  policy=Wall filterlist=ALLowWall filteraction=ALLowAction
netsh ipsec static add rule name=DenyRule  policy=Wall filterlist=DenyWall filteraction=DenyAction

rem 激活我的安全策略
netsh ipsec static set policy name=Wall assign=y

pause

  

 

 

 

 

 

参考链接

https://www.cnblogs.com/Mrhuangrui/p/6587560.html

https://www.cnblogs.com/boltkiller/articles/4791632.html