大家都知道windows2003下的基本防火墙虽然健壮,但功能单一,征对主动外发的包更无能为力,ipsec是一个非常好的补充,但ipsec图形下操作是非常笨拙的,而网上流传的ipsec安全配置脚本大多只能运行一次,修改后第二次运行可能造成不需要的策略或规则残留。
因此本次改进,添加了删除策略或规则的命令,不过会把系统自带的也删掉,那没有关系,系统自带的本来就没有用,并简化了脚本,在每次修改后可再次运行,便于批量修改。
脚本中每条规则末尾的说明会出现在ipsec的描述中,不用担心影响脚本的运行。
配置方略: 禁止所有,允许部分
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
@echo off rem ================================================== rem author 赵亚南 rem date 2013/03/27 rem apply to win2k3 rem ================================================== sc config “PolicyAgent” start= auto sc start PolicyAgent Netsh ipsec static del rule all ipsec_base_config Netsh ipsec static del policy all Netsh ipsec static del filteraction all Netsh ipsec static del filterlist all Netsh ipsec static add policy name=ipsec_base_config activatedefaultrule = no Netsh ipsec static add filteraction name=block action=block Netsh ipsec static add filteraction name=permit action=permit Netsh ipsec static add filterlist name=permitlist Netsh ipsec static add filterlist name=alllist Netsh ipsec static add filter filterlist=permitlist srcaddr=any dstaddr=me protocol=tcp mirrored=yes dstport=80 对外服务端口 Netsh ipsec static add filter filterlist=permitlist srcaddr=1.2.3.4 dstaddr=me protocol=tcp mirrored=yes dstport=3306 数据库 Netsh ipsec static add filter filterlist=permitlist srcaddr=2.3.4.5 srcmask=32 dstaddr=me dstmask=32 protocol=any mirrored=yes dstport=0 VPN–IP Netsh ipsec static add filter filterlist=permitlist srcaddr=2.3.4.6 dstaddr=me protocol=any mirrored=yes dstport=0 VPN–IP rem Netsh ipsec static add filter filterlist=permitlist srcaddr=192.168.1.0 srcmask=255.255.255.0 dstaddr=me protocol=any mirrored=yes dstport=0 内网信任网络 Netsh ipsec static add filter filterlist=permitlist srcaddr=210.72.145.44 srcmask=255.255.255.255 srcport=123 dstaddr=me dstport=123 protocol=UDP mirrored=yes 复旦大学NTP时间同步服务器 Netsh ipsec static add filter filterlist=permitlist srcaddr=any dstaddr=me protocol=ICMP mirrored=yes PING响应,注释这条可以禁ping,连本机也ping不出去 Netsh ipsec static add filter filterlist=permitlist srcaddr=60.195.252.107 dstaddr=me protocol=udp mirrored=yes dstport=161 监控宝snmp Netsh ipsec static add filter filterlist=permitlist srcaddr=60.195.252.110 dstaddr=me protocol=udp mirrored=yes dstport=161 监控宝snmp Netsh ipsec static add filter filterlist=permitlist srcaddr=60.195.252.106 dstaddr=me protocol=tcp mirrored=yes dstport=3306 监控宝mysql Netsh ipsec static add filter filterlist=permitlist srcaddr=me dstaddr=202.96.128.86 protocol=udp mirrored=yes dstport=53 访问外网DNS,要换成你当地的DNS Netsh ipsec static add filter filterlist=permitlist srcaddr=me dstaddr=any protocol=tcp mirrored=yes dstport=80 访问外网WEB Netsh ipsec static add filter filterlist=permitlist srcaddr=me dstaddr=any protocol=tcp mirrored=yes dstport=8080 访问外网WEB Netsh ipsec static add filter filterlist=permitlist srcaddr=me dstaddr=any protocol=tcp mirrored=yes dstport=443 访问外网WEB Netsh ipsec static add filter filterlist=permitlist srcaddr=me dstaddr=any protocol=tcp mirrored=yes dstport=21 访问外网FTP Netsh ipsec static add filter filterlist=alllist srcaddr=any dstaddr=me protocol=any mirrored=yes dstport=0 最后默认阻止其它所有 Netsh ipsec static add rule name=1 policy=ipsec_base_config filterlist=permitlist filteraction=permit Netsh ipsec static add rule name=2 policy=ipsec_base_config filterlist=alllist filteraction=block netsh ipsec static set policy name=ipsec_base_config assign=y |
实测通过,注意,运行之后,就只有VPN才能远程连上了哟。
发表回复