• 使用命令行IPSec封锁端口

    WIN2003下直接就是netsh IPSEC命令,XP系统用ipseccmd,2000下用ipsecpol,常用的参数如下:
         -w reg 表明将配置写入注册表,重启后仍有效。
      -p 指定策略名称,如果名称存在,则将该规则加入此策略,否则创建一个。
      -r 指定规则名称。
      -n 指定操作,可以是BLOCK、PASS或者INPASS,必须大写。
      -x 激活该策略。
      -y 使之无效。
      -o 删除-p指定的策略。
      其中最关键的是-f。它用来设置你的过滤规则,格式为
      A.B.C.Dmaskport=A.B.C.Dmaskportprotocol。其中=前面的是源地址,后面是目的地址。如果使用+,则表明此规则是双向的。IP地址中用*代表任何IP地址,0代表我自己的IP地址。还可以使用通配符,比如144.92.. 等效于 144.92.0.0255.255.0.0。使用ipseccmd 可以获得它的帮助。
      如果希望将规则删除,需要先使用-y使之无效,否则删除后它还会持续一段时间。

    myipsec2003.bat:
    rem 添加安全策略名称
    netsh ipsec static add policy name=我的安全策略

    rem 添加 IP筛选器列表
    netsh ipsec static add filterlist name=允许列表
    netsh ipsec static add filterlist name=拒绝列表

    rem 添加筛选器到IP筛选器列表(允许上网成功)
    netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=web访问 protocol=tcp mirrored=yes dstport=80
    netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=dns访问 protocol=tcp mirrored=yes dstport=53
    netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=dns访问 protocol=udp mirrored=yes dstport=53
    rem 共享别机打印成功
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=tcp mirrored=yes dstport=139
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=udp mirrored=yes dstport=138
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=udp mirrored=yes dstport=137
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.77 description=打印 protocol=tcp mirrored=yes dstport=445
    rem 服务器
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=tcp mirrored=yes dstport=139
      netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=udp mirrored=yes dstport=138
      netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=udp mirrored=yes dstport=137
      netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.201 description=服务器 protocol=tcp mirrored=yes dstport=445
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=tcp mirrored=yes dstport=139
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=udp mirrored=yes dstport=138
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=udp mirrored=yes dstport=137
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.203 description=服务器 protocol=tcp mirrored=yes dstport=445
      netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=tcp mirrored=yes dstport=139
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=udp mirrored=yes dstport=138
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=udp mirrored=yes dstport=137
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.202 description=服务器 protocol=tcp mirrored=yes dstport=445
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=tcp mirrored=yes dstport=139
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=udp mirrored=yes dstport=138
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=udp mirrored=yes dstport=137
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.105 description=服务器 protocol=tcp mirrored=yes dstport=445
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=tcp mirrored=yes dstport=139
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=udp mirrored=yes dstport=138
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=udp mirrored=yes dstport=137
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.88 description=服务器 protocol=tcp mirrored=yes dstport=445

     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=tcp mirrored=yes dstport=139
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=138
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=137
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=tcp mirrored=yes dstport=445
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=200.200.200.155 description=服务器 protocol=udp mirrored=yes dstport=445

      netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=ping访问 protocol=ICMP mirrored=yes
     
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=sybase访问 protocol=tcp mirrored=yes dstport=5000
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=dameware protocol=tcp mirrored=yes dstport=6129
     netsh ipsec static add filter filterlist=允许列表  srcaddr=any dstaddr=me description=remotelyanywhere protocol=tcp mirrored=yes dstport=2000
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=pcanywhere protocol=tcp mirrored=yes dstport=5631
     netsh ipsec static add filter filterlist=允许列表  srcaddr=me dstaddr=any description=pcanywhere protocol=udp mirrored=yes dstport=5632

    rem 添加筛选器到IP筛选器列表(不让别人访问)
     netsh ipsec static add filter filterlist=拒绝列表  srcaddr=any dstaddr=me description=别人到我任何访问 protocol=any mirrored=yes
     netsh ipsec static add filter filterlist=拒绝列表  srcaddr=me dstaddr=any description=我到任何访问 protocol=any mirrored=yes

    rem 添加筛选器操作
    netsh ipsec static add filteraction name=可以  action=permit
    netsh ipsec static add filteraction name=不可以  action=block


    rem 创建一个链接指定 IPSec 策略、筛选器列表和筛选器操作的规则(加入规则到我的安全策略)
    netsh ipsec static add rule name=允许规则  policy=我的安全策略 filterlist=允许列表 filteraction=可以
    netsh ipsec static add rule name=拒绝规则  policy=我的安全策略 filterlist=拒绝列表 filteraction=不可以

    rem 激活我的安全策略
    netsh ipsec static set policy name=我的安全策略 assign=y

    rem 总结一下,策略policy(规则rule(筛选器列表filterlist(筛选器filter))—筛选器操作filteraction)
    rem netsh ipsec static delete policy name=我的安全策略
    rem netsh ipsec static delete policy all
    rem netsh ipsec static show policy all
    rem netsh firewall delete portopening TCP 2000

    myipsecdel.bat:
    netsh ipsec static delete policy name=我的安全策略
    rem netsh ipsec static delete policy all

    winxpipsec.bat:

    rem 设置策略名称及策略中包括的规则详细内容

    ipseccmd -w REG -p "Block default ports" -y
    ipseccmd -w REG -p "Block default ports" -o
    ipseccmd -w REG -p "Block default ports" -r "Block all" -f 0+* -n BLOCK

    rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/123" -f *+0:123:UDP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK
    rem ipseccmd -w REG -p "Block default ports" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK

    ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:445:UDP -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:445:TCP -n PASS

    rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:137:UDP -n PASS
    rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:138:UDP -n PASS
    rem ipseccmd -w REG -p "Block default ports" -r "allow server" -f 0+200.200.200.201:139:tcp -n PASS

    ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:445:UDP -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:445:TCP -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:137:UDP -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:138:UDP -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow print" -f 0+200.200.200.77:139:tcp -n PASS

    ipseccmd -w REG -p "Block default ports" -r "allow sqlserver" -f 0+*:1433:tcp -n PASS

    ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5000:tcp -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5001:tcp -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5002:tcp -n PASS


    ipseccmd -w REG -p "Block default ports" -r "allow dameware" -f 200.200.200.106+0:6129:tcp -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow pcanywhere" -f 200.200.200.106+0:5631:tcp -n PASS

    ipseccmd -w REG -p "Block default ports" -r "allow firebird" -f 0+*:211:tcp -n PASS
    ipseccmd -w REG -p "Block default ports" -r "allow firebird" -f 0+*:3050:tcp -n PASS

    ipseccmd -w REG -p "Block default ports" -r "allow ping" -f *+*::ICMP -n PASS
    ipseccmd -w REG -p "Block default ports" -x
    rem 激活此策略

    winxpipsec_del.bat:
    rem 不指派,第一条先不指派此策略,第二条再删除此策略
    ipseccmd -w REG -p "Block default ports" -y
    ipseccmd -w REG -p "Block default ports" -o

    win2000ipsec.bat:

    rem 设置策略名称及策略中包括的规则详细内容

    rem ipsecpol -w REG -p "Block default ports" -y
    rem ipsecpol -w REG -p "Block default ports" -o
    ipsecpol -w REG -p "Block default ports" -r "Block all" -f 0+* -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block TCP/445" -f *+0:445:TCP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/123" -f *+0:123:UDP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/139" -f *+0:139:UDP -n BLOCK
    rem ipsecpol -w REG -p "Block default ports" -r "Block UDP/445" -f *+0:445:UDP -n BLOCK

    rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/137" -f *+0:137:UDP -n PASS
    rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/138" -f *+0:138:UDP -n PASS
    rem ipsecpol -w REG -p "Block default ports" -r "allow UDP/139" -f *+0:139:UDP -n PASS
    rem ipsecpol -w REG -p "Block default ports" -r "allow tcp/139" -f *+0:139:tcp -n PASS

    ipsecpol -w REG -p "Block default ports" -r "allow tcP/445" -f *+0:445:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow UDP/445" -f *+0:445:udp -n PASS

    rem ipsecpol -w REG -p "Block default ports" -r "allow sybase" -f 0+*:5000:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow sybase" -f *+0:5000:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow sybase sqlserver5001" -f *+0:5001:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow sybase sqlserver5002" -f *+0:5002:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow sqlserver" -f *+0:1433:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow pcanywhere tcp" -f 200.200.200.106+0:5631:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow pcanywhere udp" -f 200.200.200.106+0:5632:udp -n PASS

    ipsecpol -w REG -p "Block default ports" -r "allow dameware" -f 200.200.200.106+0:6129:tcp -n PASS
    rem ipsecpol -w REG -p "Block default ports" -r "allow firebird" -f 0+*:211:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow firebird211" -f *+0:211:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow firebird3050" -f *+0:3050:tcp -n PASS
    ipsecpol -w REG -p "Block default ports" -r "allow ping" -f 0+*::ICMP -n PASS
    ipsecpol -w REG -p "Block default ports" -x
    rem 激活此策略


     win2000ipsec_del.bat:
     rem 不指派,第一条先不指派此策略,第二条再删除此策略
    ipsecpol -w REG -p "Block default ports" -y
    ipsecpol -w REG -p "Block default ports" -o
  • 相关阅读:
    shell 生成指定范围随机数与随机字符串
    学习C#和SQL的书籍
    WEB安全:SQL注入
    Android TP(三)【转】
    Android 使用MediaRecorder录音调用stop()方法的时候报错【转】
    我的Android进阶之旅------>Android中MediaRecorder.stop()报错 java.lang.RuntimeException: stop failed.【转】
    Android App调用MediaRecorder实现录音功能的实例【转】
    MODULE_DEVICE_TABLE【转】
    MODULE_DEVICE_TABLE的理解【转】
    android kl 文件的作用【转】
  • 原文地址:https://www.cnblogs.com/Hackerman/p/12467050.html
Copyright © 2020-2023  润新知