windows2003
windows2008
1.创建策略netsh ipsec static add policy name='249-WAN-IP' description=”249机器的IP安全策略”
2.创建筛选器操作netsh ipsec static add filteraction name='阻止' action=blocknetsh ipsec static add filteraction name='允许' action=permit
3.创建筛选列表netsh ipsec static add filterlist name='blacklist' description='黑名单'netsh ipsec static add filterlist name='whitelist' description='白名单'
4.创建筛选器 netsh ipsec static add filter filterlist='blacklist' srcaddr=any dstaddr=me dstport=80 protocol=tcp mirrored=yes description='禁止80端口访问控制' ——禁止任何IP访问本机的80端口
netsh ipsec static add filter filterlist=blacklist srcaddr=192.1.1.0 srcmask=255.255.255.0 srcport=0 dstaddr=me dstport=0 protocol=any desc=禁止1网段 mirrored=yes——限制1网段访问netsh ipsec static add filter filterlist='whitelist' srcaddr=192.1.1.72 dstaddr=me dstport=80 description='1.72的80端口访问控制' protocol=TCP mirrored=yes——允许1.72访问80端口
5.创建策略规则netsh ipsec static add rule name='deny-1net-ip-access' policy='249-WAN-IP' filterlist='blacklist' filteraction='阻止' desc=阻止1网段主机所有通信netsh ipsec static add rule name='admit-1net-ip-access' filterlist='whitelist' filteraction='允许' policy='249-WAN-IP' desc=允许部分1网段主机80端口通信
6.激活策略netsh ipsec static set policy name='249-WAN-IP' assign=y由于添加白名单的ip比较多,将所有要添加的ip写在一个bat脚本里面,然后统一执行
1、在windows2008系统中可以使用以下命令,在windows2003系统不成功 netsh ipsec static add filter filterlist=blacklist srcaddr=192.1.1.2-192.1.1.10 srcport=0 dstaddr=me dstport=80 protocol=TCP desc=禁止8网段 mirrored=yes
2、使用srcaddr=192.1.1.2-192.1.1.10命令执行后在图形界面是无法显示的,如要删需执行 netsh ipsec static delete filter filterlist=blacklist srcaddr=192.1.1.2-192.1.1.10 srcport=0 dstaddr=me dstport=80 protocol=TCP mirrored=yes
3、在windows2008系统中使用srcaddr=192.1.1.0 srcmask=255.255.255.0与192.1.1.0/24等效