windows ipsec set

windows ipsec set

1
2
3
4
导出IPsec安全策略:Netsh ipsec static exportpolicy file = d:\ExportSecurity.ipsec
导入IPsec安全策略:Netsh ipsec static importpolicy file = d:\ImportSecurity.ipsec

设置过滤规则: netsh -f "c:/temp.ips"
  1. 删除所有的安全策略

    1
    echo ipsec static delete all > c:/temp.ips
  2. 建立一个新的安全策略

    1
    2
    rem 创建安全策略mrdTomcat
    echo ipsec static add policy name = mrdTomcat >> c:/temp.ips
  3. 创建筛选操作(允许和拒绝)

    1
    2
    3
    rem 创建筛选操作
    echo ipsec static add filteraction name = allow action = permit >> c:/temp.ips
    echo ipsec static add filteraction name = deny action = block >> c:/temp.ips
  4. 创建筛选器并对其设置过滤规则

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    rem 自身连接
    echo ipsec static add filterlist name = allow_me >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_me srcaddr = me dstaddr = 10.0.0.0 dstmask = 255.0.0.0 protocol = any mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_me srcaddr = me dstaddr = 127.0.0.1 protocol = any mirrored = yes >> c:/temp.ips

    rem 中控连接22
    echo ipsec static add filterlist name = allow_22 >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_22 srcaddr = 111.206.12.11 dstaddr = me dstport = 22 description = cc_access protocol = TCP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_22 srcaddr = 220.181.142.11 dstaddr = me dstport = 22 description = cc_access protocol = TCP mirrored = yes >> c:/temp.ips

    rem 拒绝其他所有ip
    echo ipsec static add filterlist name = deny_all >> c:/temp.ips
    echo ipsec static add filter filterlist = deny_all srcaddr = me dstaddr = any dstport = 0 protocol = any mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = deny_all srcaddr = any dstaddr = me dstport = 0 protocol = any mirrored = yes >> c:/temp.ips
  5. 将筛选器规则加入到安全策略

    1
    2
    3
    4
    echo ipsec static add rule name = allow_me Policy = mrdTomcat filterlist = allow_me filteraction = allow   >> c:/temp.ips
    echo ipsec static add rule name = allow_22 Policy = mrdTomcat filterlist = allow_22 filteraction = allow >> c:/temp.ips
    echo ipsec static add rule name = allow_3389 Policy = mrdTomcat filterlist = allow_3389 filteraction = allow >> c:/temp.ips
    echo ipsec static add rule name = deny_all Policy = mrdTomcat filterlist = deny_all filteraction = deny >> c:/temp.ips
    1
    2
    3
    4
    rem 连接zabbix
    echo ipsec static add filterlist name = allow_zabbix >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_zabbix srcaddr = x.x.x.0 srcmask = 255.255.255.0 dstaddr = me dstport = 10050 description = zabbix_to_me protocol = TCP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_zabbix srcaddr = me dstaddr = any dstport = 10051 description = me_to_zabbix protocol = TCP mirrored = yes >> c:/temp.ips
    1
    2
    3
    4
    rem 连接snmp
    echo ipsec static add filterlist name = allow_snmp >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_snmp srcaddr = x.x.x.0 srcmask = 255.255.255.0 dstaddr = me dstport = 161 description = snmp_to_me protocol = UDP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_snmp srcaddr = me dstaddr = any dstport = 161 description = me_to_snmp protocol = UDP mirrored = yes >> c:/temp.ips
    1
    2
    3
    4
    rem 连接icmp
    echo ipsec static add filterlist name = allow_icmp >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_icmp srcaddr = x.x.x.0 srcmask = 255.255.255.0 dstaddr = me description = snmp_to_me protocol = ICMP mirrored = yes >> c:/temp.ips
    echo ipsec static add filter filterlist = allow_icmp srcaddr = me dstaddr = any description = me_to_icmp protocol = ICMP mirrored = yes >> c:/temp.ips
  6. 激活安全策略

    1
    echo ipsec static set policy name = mrdTomcat assign = y >> c:/temp.ips
  7. 应用配置

    1
    netsh -f "c:/temp.ips"

ipsec 参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
C:\Users\Administrator>netsh ipsec static add filter /?
用法:
filter [ filterlist = ] <string>
[ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
[ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
[ [ description = ] <string> ]
[ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
[ [ mirrored = ] (yes | no) ]
[ [ srcmask = ] (mask | prefix) ]
[ [ dstmask = ] (mask | prefix) ]
[ [ srcport = ] <port> ]
[ [ dstport = ] <port> ]

将筛选器添加到指定的筛选器列表。

参数:
标记 值
filterlist -筛选器要添加到其中的筛选器列表的名称。
srcaddr -源 ip 地址(ipv4 或 ipv6)、地址范围、dns 名称或服务器类型。
dstaddr -目标 ip 地址(ipv4 或 ipv6)、dns 名称或服务器类型。
description -筛选器的简介信息。
protocol -可以是 ANY,ICMP,TCP,UDP,RAW,或者一个整数。
mirrored -值为 'Yes' 将创建两个筛选器,每个方向均有一个。
srcmask -源地址掩码或一个 1 到 32 的前缀。如果 srcaddr 设置为某一范围,则不适用。
dstmask -目标地址掩码或一个 1 到 32 的前缀。如果 dstaddr 设置为某一范围,则不适用。
srcport -数据包的源端口。值为 0 表示任意端口。
dstport -数据包的目标端口。值为 0 表示任意端口。

注释: 1. 如果筛选器列表不存在,将创建它。
2. 要指定当前计算机地址,请设置 srcaddr/dstaddr=me
要指定所有计算机地址,请设置 srcaddr/dstaddr=any
3. 服务器类型可以是 WINS、DNS、DHCP 或 GATEWAY。
4. 如果源是一个服务器类型,则目标为 "me",反之亦然。
5. 如果指定了地址范围,终结点必须为特定地址(非列表或子网)和相同类型地址(两者均应为 v4 或 v6)