Ip Security Policy batch processing script

REM ========================== start =======================
Netsh ipsec static ^
Add policy name = bim
REM adds two actions, block and permit.
Netsh ipsec static ^
Add filteraction name = Permit action = permit
Netsh ipsec static ^
Add filteraction name = Block action = block
REM first disables all access
Netsh ipsec static ^
Add filterlist name = AllAccess
Netsh ipsec static ^
Add filter filterlist = AllAccess srcaddr = Me dstaddr = Any
Netsh ipsec static ^
Add rule name = BlockAllAccess policy = bim filterlist = AllAccess filteraction = Block
REM allows unrestricted access to some IP addresses
Netsh ipsec static ^
Add filterlist name = UnLimitedIP
Netsh ipsec static ^
Add filter filterlist = UnLimitedIP srcaddr = 61.128.128.67 dstaddr = Me
Netsh ipsec static ^
Add rule name = AllowUnLimitedIP policy = bim filterlist = UnLimitedIP filteraction = Permit
REM opens some ports
Netsh ipsec static ^
Add filterlist name = OpenSomePort
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 20 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 21 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 80 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 3389 protocol = TCP
Netsh ipsec static ^
Add rule name = AllowOpenSomePort policy = bim filterlist = OpenSomePort filteraction = Permit
REM allows some ip addresses to access some ports
Netsh ipsec static ^
Add filterlist name = SomeIPSomePort
Netsh ipsec static ^
Add filter filterlist = SomeIPSomePort srcaddr = Me dstaddr = Any dstport = 80 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = SomeIPSomePort srcaddr = 61.128.128.68 dstaddr = Me dstport = 1433 protocol = TCP
Netsh ipsec static ^
Add rule name = AllowSomeIPSomePort policy = bim filterlist = SomeIPSomePort filteraction = Permit
"Netsh" is a command line script utility provided by the Windows 2000/XP/2003 operating system. It allows users to display or modify the network configurations of the currently running computer locally or remotely.
Netsh ipsec, heard that only windows2003 can run. Tested under 2003.
I understand IP Security Policies as follows: a security policy consists of rules, which are composed of two parts. First, you must create an ip Filter (used to specify the addresses ). Then, the filter operation (the operation to specify these ip addresses, that is, the Action) is completed after a security policy is written. First, the operation must be activated before it can be used, that is, the assignment.
The following examples are used to describe and some common examples are attached. In this example, machines with ip address 192.168.1.2 are not allowed to access port 3389. Followed by Analysis
Create a security policy named XBLUE first
Netsh ipsec static add policy name = XBLUE
Create an ip Filter and specify 192.168.1.2
Netsh ipsec static add filterlist name = denyip
Netsh ipsec static add filter filterlist = denyip srcaddr = 192.168.1.2 dstaddr = Me dstport = 3389 protocol = TCP
Create a filter
Netsh ipsec static ad

D filteraction name = denyact action = block
Add Rules to security policy XBLUE
Netsh ipsec static add rule name = kill3389 policy = XBLUE filterlist = denyip filteraction = denyact
Activate this policy
Netsh ipsec static set policy name = XBLUE assign = y
Export security policies
Netsh ipsec static exportpolicy d: ip. ipsec
Delete all security policies
Netsh ipsec static del all
Import security policies
Netsh ipsec static importpolicy d: ip. ipsec
Activate this policy
Netsh ipsec static set policy name = policy name assign = y
Flexible intrusion Application
The sa permission of 61.90.227.136 is obtained. However, there are policy restrictions, and no 3389 of access is allowed. I want to use his 3389.
Netsh ipsec static add filterlist name = welcomexblue
Netsh ipsec static add filter filterlist = welcomexblue srcaddr = 220.207.31.249 dstaddr = Me dstport = 7892 protocol = TCP
Netsh ipsec static add rule name = letxblue policy = ConnRest filterlist = welcomexblue filteraction = Permit
Access results
Yes.
Netsh ipsec static del rule name = letxblue policy = ConnRest
Change
Netsh ipsec static set filter filterlist = welcomexblue srcaddr = 220.207.31.249 dstaddr = Me dstport = 3389 protocol = TCP
Delete
Netsh ipsec static del rule name = letxblue policy = ConnRest
Netsh ipsec static del filterlist name = welcomexblue
The following are Win2K's
Ipsecpol is required to add ip Security policies under win2k. In windows resource kit, there are one exe and two dll files. I will not explain how to use it here. Can you use ipsecpol /? > View ipsecpolhelp.txt. This is my own script.
Rem first limits all
Ipsecpol-w REG-p "Haishion"-r "Block All IP"-f * + 0-n BLOCK
Rem opens unlimited access to some machines, such as your work machine
Ipsecpol-w REG-p "Haishion"-r "Allow IP"-f ^
210.34.0.1 + 0 ^
210.34.0.2 + 0 ^
-N PASS
Rem opens server ports, such as http 80, ftp 20, and 21.
Ipsecpol-w REG-p "Haishion"-r "Open Port"-f ^
* + 0: 20: TCP ^
* + 0: 21: TCP ^
* + 0: 80: TCP ^
-N PASS
Rem opens certain ip addresses to access specific ports
Ipsecpol-w REG-p "Haishion"-r "Allow IP Port"-f ^
0 + *: 53: UDP ^
0 + *: 80: TCP ^
210.34.0.3 + 0: 8080: TCP ^
-N PASS
Rem assignment
Ipsecpol-w REG-p "Haishion"-x