Netsh is the command-line scripting utility provided by the Windows 2000/xp/2003 operating system itself, which allows users to display or modify the network configuration of a computer that is currently running locally or remotely.
Netsh IPSec, it is heard that only windows2003 can run. Tested under 2003.
IP Security Policy, my own understanding is that a security policy consists of a number of rules, and these rules are composed of 2 parts. First, you create an IP filter (to specify those addresses). And then what happens is that the filter action, which specifies the operation of the IP, is the action. A security policy has been written, first to be activated, to be used, and that is to assign.
Here are examples to illustrate, and then come with some common. This example is to not allow IP for 192.168.1.2 machine access to my 3389 port. ' Behind is a note
' To establish a security policy called Xblue first
netsh ipsec static add policy Name=xblue
' Establish an IP filter that specifies the 192.168.1.2
netsh ipsec static add filterlist Name=denyip
netsh ipsec static add filter Filterlist=denyip srcaddr=192.168.1.2 dstaddr=me dstport=3389 protocol=tcp
' Set up a filter action
netsh ipsec static ad
d filteraction Name=denyact Action=block
' Join rule to security policy xblue
netsh ipsec static add rule name=kill3389 policy=xblue Filterlist=denyip filteraction=denyact
' Activate this policy
netsh ipsec static set policy Name=xblue assign=y
Export the security Policy
netsh ipsec static exportpolicy d:\ip.ipsec
Remove all security Policies
netsh ipsec static del all
Import security Policy into
netsh ipsec static importpolicy d:\ip.ipsec
Activate this policy
netsh ipsec static set policy name= policy name Assign=y
Intrusion Flexible Application
Got the SA permission for 61.90.227.136. But there is a policy limit to access his 3389. I want to use his 3389.
netsh ipsec static add filterlist Name=welcomexblue
netsh ipsec static add filter filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=me dstport=7892 protocol=tcp
netsh ipsec static add rule name=letxblue policy=connrest filterlist=welcomexblue Filteraction=permit
Access results
can be accessed.
netsh ipsec static del rule Name=letxblue policy=connrest
Change
netsh ipsec static set filter Filterlist=welcomexblue srcaddr=220.207.31.249 dstaddr=me dstport=3389 protocol=tcp
Delete
netsh ipsec static del rule Name=letxblue policy=connrest
netsh ipsec static del filterlist Name=welcomexblue
Here's the Win2K.
Win2K IP Security Policy add need to use IPSecPol this program, in Windows Resource Kit, including an EXE and 2 DLLs. I don't explain his use here, you can ipsecpol*〉ipsecpolhelp.txt. This is the script I used myself.
REM First Restricts all
Ipsecpol-w reg-p "Haishion"-r "Block all IP"-F *+0-n block
REM opens unrestricted access to certain machines, such as your working machine.
Ipsecpol-w reg-p "Haishion"-r "Allow IP"-F ^
210.34.0.1+0 ^
210.34.0.2+0 ^
-N Pass
REM Open server ports, such as HTTP 80,ftp 20,21
Ipsecpol-w reg-p "Haishion"-r "Open Port"-F ^
*+0:20:tcp ^
*+0:21:tcp ^
*+0:80:tcp ^
-N Pass
REM Open some specific IP can access a specific port
Ipsecpol-w reg-p "Haishion"-r "Allow IP Port"-F ^
0+*:53:udp ^
0+*:80:tcp ^
210.34.0.3+0:8080:tcp ^
-N Pass
REM Assignment
Ipsecpol-w reg-p "Haishion"-X
Copy Code code as follows:
REM ================= begins ================
netsh ipsec static ^
Add Policy Name=bim
REM adds 2 actions, block and permit
netsh ipsec static ^
Add FilterAction name=permit Action=permit
netsh ipsec static ^
Add FilterAction name=block Action=block
REM First disables all access
netsh ipsec static ^
add FilterList name=allaccess
netsh ipsec static ^
Add Filter filterlist=allaccess Srcaddr=me dstaddr=any
netsh ipsec static ^
Add Rule name=blockallaccess Policy=bim filterlist=allaccess Filteraction=block
REM open certain IP unrestricted access
netsh ipsec static ^
add FilterList Name=unlimitedip
netsh ipsec static ^
Add Filter Filterlist=unlimitedip srcaddr=61.128.128.67 dstaddr=me
netsh ipsec static ^
Add Rule name=allowunlimitedip Policy=bim filterlist=unlimitedip Filteraction=permit
REM Open certain ports
netsh ipsec static ^
add FilterList Name=opensomeport
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=20 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=21 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=80 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=opensomeport srcaddr=any dstaddr=me dstport=3389 protocol=tcp
netsh ipsec static ^
Add Rule name=allowopensomeport Policy=bim filterlist=opensomeport Filteraction=permit
REM Open Some IP can access certain ports
netsh ipsec static ^
add FilterList Name=someipsomeport
netsh ipsec static ^
Add Filter filterlist=someipsomeport srcaddr=me dstaddr=any dstport=80 protocol=tcp
netsh ipsec static ^
Add Filter filterlist=someipsomeport srcaddr=61.128.128.68 dstaddr=me dstport=1433 protocol=tcp
netsh ipsec static ^
Add Rule name=allowsomeipsomeport Policy=bim filterlist=someipsomeport Filteraction=permit
