ipsec 命令行操作命令[ip安全策略]
2015-7-22 Eagle
IPsec (Internet Protocol security)
在命令行下,通过netsh ipsec static来配置IPSEC安全策略。一个IPSEC由一个或者多个规则组成;
一个规则有一个IP筛选器列表和一个相应的筛选器操作组成;
这个筛选器列表和筛选器可以是系统本身所没有的,如果没有则需要自行建立,而一个筛选器又由一个或多个筛选器组成,因此配置IPSEC的时候必须分步进行。
规则由筛选器列表和筛选器操作构成。而且存放在策略里,策略器由策略器列表来存储,这样就决定了一个步骤:建立空的安全策略,建立筛选器列表,建立筛选器操作,这三步不需要特定的顺序,建立筛选器需要在空筛选器列表建立成以后;
建立规则在上述三步骤完成之后。
一、下面开始配置策略的新增,修改,删除、最重要的是激活;
#导出IPsec安全策略:
netsh ipsec static exportpolicy file = D:\ipsec.ipsec
#导入IPsec安全策略:
netsh ipsec static importpolicy file = D:\ipsec.ipsec
#建立一个新的策略
#首先建立一个空的安全策略[ipsec]
netsh ipsec static add policy name = ipsec
#建立一个筛选器操作”阻止”以及建立一个筛选器操作”允许”
netsh ipsec static add filteraction name = 阻止 action = block
netsh ipsec static add filteraction name = 允许 action = permit
#建立一个筛选器列表
netsh ipsec static add filterlist name = 基础规则
netsh ipsec static add filter filterlist = 基础规则 srcaddr=192.168.1.1 dstaddr = me dstport = 3389 description = 远程桌面 protocol =TCP mirrored = yes
netsh ipsec static add filter filterlist = 基础规则 Srcaddr = 192.168.1.0 srcmask=255.255.255.0 dstaddr = 218.85.157.99 dstport = 0 description = 所有端口 protocol =any mirrored = yes
#建立策略规则
netsh ipsec static add rule name = 基础规则 Policy = ipsec filterlist = 基础规则 filteraction = 允许
#修改策略
netsh ipsec static set filter filterlist = 基础规则 srcaddr=220.207.31.249 dstaddr=Me dstport=3389 protocol=TCP
#删除策略
netsh ipsec static delete rule name = 基础规则 policy = ipsec
netsh ipsec static delete filterlist name = 基础规则
#指派策略生效
netsh ipsec static set policy name = ipsec assign = y
二、以下转载网络上的未经测试,作为参考
REM =================开始================
netsh ipsec static ^
add policy name=bim
REM 添加2个动作,block和permit
netsh ipsec static ^
add filteraction name=Permit action=permit
netsh ipsec static ^
add filteraction name=Block action=block
REM 首先禁止所有访问
netsh ipsec static ^
add filterlist name=AllAccess
netsh ipsec static ^
add filter filterlist=AllAccess srcaddr=Me dstaddr=Any
netsh ipsec static ^
add rule name=BlockAllAccess policy=bim filterlist=AllAccess filteraction=Block
REM 开放某些IP无限制访问
netsh ipsec static ^
add filterlist name=UnLimitedIP
netsh ipsec static ^
add filter filterlist=UnLimitedIP srcaddr=61.128.128.67 dstaddr=Me
netsh ipsec static ^
add rule name=AllowUnLimitedIP policy=bim filterlist=UnLimitedIP filteraction=Permit
REM 开放某些端口
netsh ipsec static ^
add filterlist name=OpenSomePort
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP
netsh ipsec static ^
add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static ^
add rule name=AllowOpenSomePort policy=bim filterlist=OpenSomePort filteraction=Permit
REM 开放某些ip可以访问某些端口
netsh ipsec static ^
add filterlist name=SomeIPSomePort
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP
netsh ipsec static ^
add filter filterlist=SomeIPSomePort srcaddr=61.128.128.68 dstaddr=Me dstport=1433 protocol=TCP
netsh ipsec static ^
add rule name=AllowSomeIPSomePort policy=bim filterlist=SomeIPSomePort filteraction=Permit
发表评论: