Shulou(Shulou.com)06/03 Report--

This article mainly introduces how batch processing to achieve Ip security policy script, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

"netsh" is a command-line scripting utility provided by the Windows 2000/XP/2003 operating system itself that allows users to display or modify the network configuration of the currently running computer locally or remotely.

Netsh ipsec, it is said that only windows2003 can run. Tested at 2003.

IP security policy, my own understanding is: a security policy is made up of rules, and these rules are made up of two parts. The first step is to create an ip filter (to specify those addresses). Then there is the filter action (used to specify the actions on these ip, that is, actions). A security policy has been written, and it must be activated before it can be used, that is, assignment.

The following is illustrated by examples, followed by some commonly used ones. This example is that machines with an ip of 192.168.1.2 are not allowed to access my port 3389. There is a note behind it.

'first set up a security policy called XBLUE

Netsh ipsec static add policy name=XBLUE

'create an ip filter that specifies 192.168.1.2

Netsh ipsec static add filterlist name=denyip

Netsh ipsec static add filter filterlist=denyip srcaddr=192.168.1.2 dstaddr=Me dstport=3389 protocol=TCP

'create a filter action

Netsh ipsec static ad

D filteraction name=denyact action=block

'add a rule to the security policy XBLUE

Netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip filteraction=denyact

'activate this strategy

Netsh ipsec static set policy name=XBLUE assign=y

Export security policy

Netsh ipsec static exportpolicy d:\ ip.ipsec

Delete all security policies

Netsh ipsec static del all

Import security policy

Netsh ipsec static importpolicy d:\ ip.ipsec

Activate this policy

Netsh ipsec static set policy name= Policy name assign=y

Invasion and flexible application

Get the sa permission of 61.90.227.136. However, there are policy restrictions, access to his 3389. I want to use his 3389.

Netsh ipsec static add filterlist name=welcomexblue

Netsh ipsec static add filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=Me dstport=7892 protocol=TCP

Netsh ipsec static add rule name=letxblue policy=ConnRest filterlist=welcomexblue filteraction=Permit

Access result

You can access it.

Netsh ipsec static del rule name=letxblue policy=ConnRest

Change

Netsh ipsec static set filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=Me dstport=3389 protocol=TCP

Delete

Netsh ipsec static del rule name=letxblue policy=ConnRest

Netsh ipsec static del filterlist name=welcomexblue

The following is from Win2K

Ipsecpol is needed to add ip security policies under win2k, which is available in windows's resource kit, including an exe and two dll. I won't explain how to use it here, you can check it out by ipsecpol* > ipsecpolhelp.txt. This is my own script.

Rem first restricts all

Ipsecpol-w REG-p "Haishion"-r "Block All IP"-f * + 0-n BLOCK

Rem provides unrestricted access to certain machines, such as your work machine

Ipsecpol-w REG-p "Haishion"-r "Allow IP"-f ^

210.34.0.1o0 ^

210.34.0.2o ^

-n PASS

Rem opens server ports, such as http 80, ftp 20, and 21.

Ipsecpol-w REG-p "Haishion"-r "Open Port"-f ^

* + 0:20:TCP ^

* + 0:21:TCP ^

* + 0:80:TCP ^

-n PASS

Rem allows certain ip to access specific ports.

Ipsecpol-w REG-p "Haishion"-r "Allow IP Port"-f ^

0+*:53:UDP ^

0+*:80:TCP ^

210.34.0.3+0:8080:TCP ^

-n PASS

Rem assignment

Ipsecpol-w REG-p "Haishion"-x

The code is as follows:

REM = start =

Netsh ipsec static ^

Add policy name=bim

REM adds 2 actions, block and permit

Netsh ipsec static ^

Add filteraction name=Permit action=permit

Netsh ipsec static ^

Add filteraction name=Block action=block

REM first forbids all access

Netsh ipsec static ^

Add filterlist name=AllAccess

Netsh ipsec static ^

Add filter filterlist=AllAccess srcaddr=Me dstaddr=Any

Netsh ipsec static ^

Add rule name=BlockAllAccess policy=bim filterlist=AllAccess filteraction=Block

REM opens unrestricted access to some IP

Netsh ipsec static ^

Add filterlist name=UnLimitedIP

Netsh ipsec static ^

Add filter filterlist=UnLimitedIP srcaddr=61.128.128.67 dstaddr=Me

Netsh ipsec static ^

Add rule name=AllowUnLimitedIP policy=bim filterlist=UnLimitedIP filteraction=Permit

REM opens some ports

Netsh ipsec static ^

Add filterlist name=OpenSomePort

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP

Netsh ipsec static ^

Add rule name=AllowOpenSomePort policy=bim filterlist=OpenSomePort filteraction=Permit

REM opens certain ip to access certain ports

Netsh ipsec static ^

Add filterlist name=SomeIPSomePort

Netsh ipsec static ^

Add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP

Netsh ipsec static ^

Add filter filterlist=SomeIPSomePort srcaddr=61.128.128.68 dstaddr=Me dstport=1433 protocol=TCP

Netsh ipsec static ^

Add rule name=AllowSomeIPSomePort policy=bim filterlist=SomeIPSomePort filteraction=Permit

Thank you for reading this article carefully. I hope the article "how to implement Ip Security Policy script in batch processing" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.