一直在遗憾Windows下没有一个如Linux小Iptables一样的工具,能够严格的管控机器的访问限制。
后面突然看到一个叫Ipsec在Windows感觉还不错。以命令行的方式进行定义的话在多台服务器上进行设置也会轻松很多。
简单来说,一个策略,有无数条规则组成。
而一条规则,则是对一个过滤表的动作设置。
一个过滤表,则是包含了很多个条件。
但无论是过滤表也好、动作也好,规则也好,都是需要定义的,所以我们进行如下几步。
1、建立策略 (先删除以前的所有配置,重新建立新的)
netsh ipsec static delete all
netsh ipsec static add policy name="MyIpsec"
2、定义动作
netsh ipsec static add filteraction name="Deny" action=block
netsh ipsec static add filteraction name="Accept" action=permit
3、定义过滤表
netsh ipsec static add filterlist name="DenyList"
netsh ipsec static add filterlist name="AcceptList"
4、往过滤表里面添加条件
netsh ipsec static add filter filterlist=AcceptList srcaddr=222.186.12.113 dstaddr=me protocol=tcp mirrored=yes netsh ipsec static add filter filterlist=AcceptList srcaddr=me dstaddr=any protocol=tcp mirrored=yes netsh ipsec static add filter filterlist=AcceptList srcaddr=any dstaddr=me protocol=icmp mirrored=yes
5、进行封装,就是把过滤表、规则、策略进行绑定。
netsh ipsec static add rule name="DenyRule" policy=MyIpsec filterlist=DenyList filteraction=Deny netsh ipsec static add rule name="AcceptRule" policy=MyIpsec filterlist=AcceptList filteraction=Accept
6、最后激活规则
netsh ipsec static set policy name=Amonkey assign=y
最后可以看出,核心就是在过滤条件的定义,然后进行绑定而已。关于过滤条件的使用,参考一下微软的帮助:
Usage:
filter [ filterlist = ] <string>
[ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
[ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
[ [ description = ] <string> ]
[ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | <integer>) ]
[ [ mirrored = ] (yes | no) ]
[ [ srcmask = ] (mask | prefix) ]
[ [ dstmask = ] (mask | prefix) ]
[ [ srcport = ] <port> ]
[ [ dstport = ] <port> ]
Adds a filter to the specified filter list.
Parameters:
Tag Value
filterlist -Name of the filter list to which the filter is added.
srcaddr -Source ip address (ipv4 or ipv6), address range, dns name, or server type.
dstaddr -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
description -Brief information about the filter.
protocol -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
mirrored -‘Yes’ creates two filters, one in each direction.
srcmask -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range
dstmask -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range
srcport -Source port of the packet. A value of 0 means any port.
dstport -Destination port of the packet. A value of 0 means any port.
Remarks: 1. If the filter list does not exist it will be created.
2. To specify the current computer address, set srcaddr/dstaddr=me
To specify all computer addresses, set srcaddr/dstaddr=any
3. Server type can be WINS, DNS, DHCP or GATEWAY.
4. If source is a server type, then dest is 'me' and vice-versa.
5. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).
Examples: 1. add filter filterlist=Filter1 192.145.168.0 192.145.168.45 srcmask=24 dstmask=32
2. add filter filterlist=Filter1 srcaddr=DHCP dstaddr=0.0.0.0 protocol=ICMP srcmask=255.255.255.255 dstmask=255.255.255.255
3. add filter filterlist=Filter1 srcaddr=me dstaddr=any
4. add filter filterlist=Filter1 srcaddr= E3D7::51F4:9BC8:00A8:6420 dstaddr= ME
5. add filter filterlist=Filter1 srcaddr= 192.168.2.1-192,168.2.10 dstaddr= ME