Win2003设置IP安全策略批处理脚本

发布者:利来官方网站w66利来 发布时间:2018-6-27 w66利来登录网址:www.ntzhengtong.com
 
代码如下:

REM =================开始================ 
netsh ipsec static ^ 
add policy name=bim 
REM 添加2个动作,block和permit 
netsh ipsec static ^ 
add filteraction name=Permit action=permit 
netsh ipsec static ^ 
add filteraction name=Block action=block 
REM 首先禁止所有访问 
netsh ipsec static ^ 
add filterlist name=AllAccess 
netsh ipsec static ^ 
add filter filterlist=AllAccess srcaddr=Me dstaddr=Any 
netsh ipsec static ^ 
add rule name=BlockAllAccess policy=bim filterlist=AllAccess filteraction=Block 
REM 开放某些IP无限制访问 
netsh ipsec static ^ 
add filterlist name=UnLimitedIP 
netsh ipsec static ^ 
add filter filterlist=UnLimitedIP srcaddr=61.128.128.67 dstaddr=Me 
netsh ipsec static ^ 
add rule name=AllowUnLimitedIP policy=bim filterlist=UnLimitedIP filteraction=Permit 
REM 开放某些端口 
netsh ipsec static ^ 
add filterlist name=OpenSomePort 
netsh ipsec static ^ 
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP 
netsh ipsec static ^ 
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP 
netsh ipsec static ^ 
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP 
netsh ipsec static ^ 
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP 
netsh ipsec static ^ 
add rule name=AllowOpenSomePort policy=bim filterlist=OpenSomePort filteraction=Permit 
REM 开放某些ip可以访问某些端口 
netsh ipsec static ^ 
add filterlist name=SomeIPSomePort 
netsh ipsec static ^ 
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP 
netsh ipsec static ^ 
add filter filterlist=SomeIPSomePort srcaddr=61.128.128.68 dstaddr=Me dstport=1433 protocol=TCP 
netsh ipsec static ^ 
add rule name=AllowSomeIPSomePort policy=bim filterlist=SomeIPSomePort filteraction=Permit 

"netsh"是Windows 2000/XP/2003操作系统自身提供的命令行脚本实用工具,它允许用户在本地或远程显示或修改当前正在运行的计算机的利来官方网站w66利来配置。 

netsh ipsec,听闻只有windows2003才能运行。在2003下测试的。 
IP安全策略,我自身的理解就是:一个安全策略由一条条规则组成,而这些规则是由2部分组成的。首先要建立一个ip筛选器(用来指定那些地址)。然后呢是筛选器操作(用来指定对这些ip的操作,就是动作)一个安全策略编写完成了,首先要激活,才能使用,那就是指派。 

下面用实例来说明,然后附带一些常用的。这个例子就是不允许ip为192.168.1.2的机器访问我的3389端口。'后面是注析 

'建立一个名字叫XBLUE的安全策略先 
netsh ipsec static add policy name=XBLUE 
'建立一个ip筛选器,指定192.168.1.2 
netsh ipsec static add filterlist name=denyip 
netsh ipsec static add filter filterlist=denyip srcaddr=192.168.1.2 dstaddr=Me dstport=3389 protocol=TCP 
'建立一个筛选器操作 
netsh ipsec static add filteraction name=denyact action=block 
'加入规则到安全策略XBLUE 
netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip filteraction=denyact 
'激活这个策略 
netsh ipsec static set policy name=XBLUE assign=y 

把安全策略导出 
netsh ipsec static exportpolicy d:\ip.ipsec 
删除所有安全策略 
netsh ipsec static del all 
把安全策略导入 
netsh ipsec static importpolicy d:\ip.ipsec 
激活这个策略 
netsh ipsec static set policy name=策略名称 assign=y 
入侵灵活运用 
得到了61.90.227.136的sa权限。不过有策略限制,访问不到他的3389。我想用他的3389。 
netsh ipsec static add filterlist name=welcomexblue 
netsh ipsec static add filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=Me dstport=7892 protocol=TCP 
netsh ipsec static add rule name=letxblue policy=ConnRest filterlist=welcomexblue filteraction=Permit 
访问结果 
可以访问了。 
netsh ipsec static del rule name=letxblue policy=ConnRest 
更改 
netsh ipsec static set filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=Me dstport=3389 protocol=TCP 
删除 
netsh ipsec static del rule name=letxblue policy=ConnRest 
netsh ipsec static del filterlist name=welcomexblue                  

上一条:win2008 r2 服务器安全设置之安全狗设置图文教程
下一条:w66利来登录网址备案号被注销了怎么办?
返回上一页