标签:win rem ccm 允许 指定 筛选 格式 rip serve
WIN2003下直接就是netsh IPSEC命令,XP系统用ipseccmd,2000下用ipsecpol,常用的参数如下:
-w reg 表明将配置写入注册表,重启后仍有效。
-p 指定策略名称,如果名称存在,则将该规则加入此策略,否则创建一个。
-r 指定规则名称。
-n 指定操作,可以是BLOCK、PASS或者INPASS,必须大写。
-x 激活该策略。
-y 使之无效。
-o 删除-p指定的策略。
其中最关键的是-f。它用来设置你的过滤规则,格式为
A.B.C.Dmaskport=A.B.C.Dmaskportprotocol。其中=前面的是源地址,后面是目的地址。如果使用+,则表明此规则是双向的。IP地址中用*代表任何IP地址,0代表我自己的IP地址。还可以使用通配符,比如144.92.. 等效于 144.92.0.0255.255.0.0。使用ipseccmd 可以获得它的帮助。
如果希望将规则删除,需要先使用-y使之无效,否则删除后它还会持续一段时间。
myipsec2003.bat:
rem 添加安全策略名称
netsh ipsec static add policy name=我的安全策略
rem 添加 IP筛选器列表
netsh ipsec static add filterlist name=允许列表
netsh ipsec static add filterlist name=拒绝列表
rem 添加筛选器到IP筛选器列表(允许上网成功)
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=web访问 protocol=tcp mirrored=yes dstport=80
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=dns访问 protocol=tcp mirrored=yes dstport=53
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yes dstport=53
rem 共享别机打印成功
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=tcp mirrored=yes dstport=445
rem 服务器
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=445
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=ping访问 protocol=ICMP mirrored=yes
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=sybase访问 protocol=tcp mirrored=yes dstport=5000
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=dameware protocol=tcp mirrored=yes dstport=6129
netsh ipsec static add filter filterlist=允许列表 srcaddr=any dstaddr=me description=remotelyanywhere protocol=tcp mirrored=yes dstport=2000
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=pcanywhere protocol=tcp mirrored=yes dstport=5631
netsh ipsec static add filter filterlist=允许列表 srcaddr=me dstaddr=any description=pcanywhere protocol=udp mirrored=yes dstport=5632
rem 添加筛选器到IP筛选器列表(不让别人访问)
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=any dstaddr=me description=别人到我任何访问 protocol=any mirrored=yes
netsh ipsec static add filter filterlist=拒绝列表 srcaddr=me dstaddr=any description=我到任何访问 protocol=any mirrored=yes
rem 添加筛选器操作
netsh ipsec static add filteraction name=可以 action=permit
netsh ipsec static add filteraction name=不可以 action=block
rem 创建一个链接指定 IPSec 策略、筛选器列表和筛选器操作的规则(加入规则到我的安全策略)
netsh ipsec static add rule name=允许规则 policy=我的安全策略 filterlist=允许列表 filteraction=可以
netsh ipsec static add rule name=拒绝规则 policy=我的安全策略 filterlist=拒绝列表 filteraction=不可以
rem 激活我的安全策略
netsh ipsec static set policy name=我的安全策略 assign=y
rem 总结一下,策略policy(规则rule(筛选器列表filterlist(筛选器filter))—筛选器操作filteraction)
rem netsh ipsec static delete policy name=我的安全策略
rem netsh ipsec static delete policy all
rem netsh ipsec static show policy all
rem netsh firewall delete portopening TCP 2000
myipsecdel.bat:
netsh ipsec static delete policy name=我的安全策略
rem netsh ipsec static delete policy all
winxpipsec.bat:
rem 设置策略名称及策略中包括的规则详细内容
ipseccmd -w REG -p "Block default ports" -y
ipseccmd -w REG -p "Block default ports" -o
ipseccmd -w REG -p "Block default ports" -r "Block all" -f 0+* -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/123" -f *+0:123:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK
rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK
ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:445:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:445:TCP -n PASS
rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:137:UDP -n PASS
rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:138:UDP -n PASS
rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:139:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:445:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:445:TCP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:137:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:138:UDP -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:139:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow sqlserver" -f 0+*:1433:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5000:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5001:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5002:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow dameware" -f 200.200.200.106+0:6129:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow pcanywhere" -f 200.200.200.106+0:5631:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow firebird" -f 0+*:211:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow firebird" -f 0+*:3050:tcp -n PASS
ipseccmd -w REG -p "Block default ports" -r "allow ping" -f *+*::ICMP -n PASS
ipseccmd -w REG -p "Block default ports" -x
rem 激活此策略
winxpipsec_del.bat:
rem 不指派,第一条先不指派此策略,第二条再删除此策略
ipseccmd -w REG -p "Block default ports" -y
ipseccmd -w REG -p "Block default ports" -o
win2000ipsec.bat:
rem 设置策略名称及策略中包括的规则详细内容
rem ipsecpol -w REG -p "Block default ports" -y
rem ipsecpol -w REG -p "Block default ports" -o
ipsecpol -w REG -p "Block default ports" -r "Block all" -f 0+* -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/123" -f *+0:123:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK
rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/137" -f *+0:137:UDP -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/138" -f *+0:138:UDP -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/139" -f *+0:139:UDP -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow tcp/139" -f *+0:139:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow tcP/445" -f *+0:445:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow UDP/445" -f *+0:445:udp -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5000:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sybase" -f *+0:5000:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sybase sqlserver5001" -f *+0:5001:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sybase sqlserver5002" -f *+0:5002:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow sqlserver" -f *+0:1433:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow pcanywhere tcp" -f 200.200.200.106+0:5631:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow pcanywhere udp" -f 200.200.200.106+0:5632:udp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow dameware" -f 200.200.200.106+0:6129:tcp -n PASS
rem ipsecpol -w REG -p "Block default ports" -r "allow firebird" -f 0+*:211:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow firebird211" -f *+0:211:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow firebird3050" -f *+0:3050:tcp -n PASS
ipsecpol -w REG -p "Block default ports" -r "allow ping" -f 0+*::ICMP -n PASS
ipsecpol -w REG -p "Block default ports" -x
rem 激活此策略
win2000ipsec_del.bat:
rem 不指派,第一条先不指派此策略,第二条再删除此策略
ipsecpol -w REG -p "Block default ports" -y
ipsecpol -w REG -p "Block default ports" -o
标签:win rem ccm 允许 指定 筛选 格式 rip serve
原文地址:https://www.cnblogs.com/Hackerman/p/12467050.html