system servicewindowsipsec set

windows ipsec set

windows ipsec set

1
2
3
4
导出IPsec安全策略:Netsh ipsec static exportpolicy file = d:\ExportSecurity.ipsec
导入IPsec安全策略:Netsh ipsec static importpolicy file = d:\ImportSecurity.ipsec

设置过滤规则: netsh -f "c:/temp.ips"

  1. 删除所有的安全策略

    1
    echo ipsec static delete all > c:/temp.ips

  2. 建立一个新的安全策略

    1
    2
    rem 创建安全策略mrdTomcat
    echo ipsec static add policy name = mrdTomcat >> c:/temp.ips

  3. 创建筛选操作(允许和拒绝)

    1
    2
    3
    rem 创建筛选操作
    echo ipsec static add filteraction name = allow action = permit >> c:/temp.ips
    echo ipsec static add filteraction name = deny action = block  >> c:/temp.ips

  4. 创建筛选器并对其设置过滤规则

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    rem 自身连接
    echo ipsec static add filterlist name = allow_me >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_me srcaddr = me dstaddr = 10.0.0.0 dstmask = 255.0.0.0  protocol = any  mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_me srcaddr = me dstaddr = 127.0.0.1   protocol = any  mirrored = yes  >> c:/temp.ips

    rem 中控连接22
    echo ipsec static add filterlist name = allow_22 >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_22 srcaddr = 111.206.12.11 dstaddr = me dstport = 22 description = cc_access protocol = TCP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_22 srcaddr = 220.181.142.11 dstaddr = me dstport = 22 description = cc_access protocol = TCP mirrored = yes >> c:/temp.ips

    rem 拒绝其他所有ip
    echo ipsec static add filterlist name = deny_all >> c:/temp.ips
    echo ipsec static add filter filterlist = deny_all srcaddr = me dstaddr = any dstport = 0  protocol = any mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = deny_all srcaddr = any dstaddr = me dstport = 0  protocol = any mirrored = yes >> c:/temp.ips

  5. 将筛选器规则加入到安全策略

    1
    2
    3
    4
    echo ipsec static add rule name = allow_me Policy = mrdTomcat filterlist = allow_me filteraction = allow   >> c:/temp.ips
    echo ipsec static add rule name = allow_22 Policy = mrdTomcat filterlist = allow_22 filteraction = allow   >> c:/temp.ips
    echo ipsec static add rule name = allow_3389  Policy = mrdTomcat filterlist = allow_3389  filteraction = allow   >> c:/temp.ips
    echo ipsec static add rule name = deny_all Policy = mrdTomcat filterlist = deny_all filteraction = deny  >> c:/temp.ips
    1
    2
    3
    4
    rem 连接zabbix
    echo ipsec static add filterlist name   = allow_zabbix >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_zabbix srcaddr = x.x.x.0  srcmask = 255.255.255.0  dstaddr = me dstport = 10050 description = zabbix_to_me protocol = TCP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_zabbix srcaddr = me  dstaddr = any dstport = 10051  description = me_to_zabbix protocol = TCP mirrored = yes >> c:/temp.ips
    1
    2
    3
    4
    rem 连接snmp
    echo ipsec static add filterlist name   = allow_snmp >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_snmp srcaddr = x.x.x.0  srcmask = 255.255.255.0 dstaddr = me dstport = 161 description = snmp_to_me protocol = UDP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_snmp srcaddr = me  dstaddr = any dstport = 161  description = me_to_snmp protocol = UDP mirrored = yes >> c:/temp.ips
    1
    2
    3
    4
    rem 连接icmp
    echo ipsec static add filterlist name   = allow_icmp >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_icmp srcaddr = x.x.x.0  srcmask = 255.255.255.0 dstaddr = me description = snmp_to_me protocol = ICMP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_icmp srcaddr = me dstaddr = any description = me_to_icmp protocol = ICMP mirrored = yes >> c:/temp.ips

  6. 激活安全策略

    1
    echo ipsec static set policy name = mrdTomcat assign = y >> c:/temp.ips

  7. 应用配置

    1
    netsh -f "c:/temp.ips"

ipsec 参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
C:\Users\Administrator>netsh ipsec static add filter /?
用法:
  filter [ filterlist = ] <string>
         [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
         [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
         [ [ description = ] <string> ]
         [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
         [ [ mirrored = ] (yes  |  no) ]
         [ [ srcmask = ] (mask | prefix) ]
         [ [ dstmask = ] (mask | prefix) ]
         [ [ srcport = ] <port> ]
         [ [ dstport = ] <port> ]

  将筛选器添加到指定的筛选器列表。

参数:
  标记           值
  filterlist    -筛选器要添加到其中的筛选器列表的名称。
  srcaddr       -源 ip 地址(ipv4 或 ipv6)、地址范围、dns 名称或服务器类型。
  dstaddr       -目标 ip 地址(ipv4 或 ipv6)、dns 名称或服务器类型。
  description   -筛选器的简介信息。
  protocol      -可以是 ANY,ICMP,TCP,UDP,RAW,或者一个整数。
  mirrored      -值为 'Yes' 将创建两个筛选器,每个方向均有一个。
  srcmask       -源地址掩码或一个 1 到 32 的前缀。如果 srcaddr 设置为某一范围,则不适用。
  dstmask       -目标地址掩码或一个 1 到 32 的前缀。如果 dstaddr 设置为某一范围,则不适用。
  srcport       -数据包的源端口。值为 0 表示任意端口。
  dstport       -数据包的目标端口。值为 0 表示任意端口。

注释:  1. 如果筛选器列表不存在,将创建它。
       2. 要指定当前计算机地址,请设置 srcaddr/dstaddr=me
          要指定所有计算机地址,请设置 srcaddr/dstaddr=any
       3. 服务器类型可以是 WINS、DNS、DHCP 或 GATEWAY。
       4. 如果源是一个服务器类型,则目标为 "me",反之亦然。
       5. 如果指定了地址范围,终结点必须为特定地址(非列表或子网)和相同类型地址(两者均应为 v4 或 v6)