1、1.创建策略
netsh ipsec static add policy name="249-WAN-IP" description=”249机器的IP安全策略”
2、2.创建筛选器操作
netsh ipsec static add filteraction name="阻止" action=block
netsh ipsec static add filteraction name="允许" action=permit
3、3.创建筛选列表
netsh ipsec static add filterlist name="blacklist" description="黑名单"
netsh ipsec static add filterlist name="whitelist" description="白名单"
4、4.创建筛选器
netsh ipsec static add filter filterlist="blacklist" srcaddr=any dstaddr=me dstport=80 protocol=tcp mirrored=yes description="禁止80端口访问控制" ——禁止任何IP访问本机的80端口
5、netsh ipsec static add filter filterlist=blacklist srcaddr=192.1.1.0 srcmask=255.255.255.0 srcport=0 dstaddr=me dstport=0 protocol=any desc=禁止1网段 mirrored=yes——限制1网段访问
netsh ipsec static add filter filterlist="whitelist" srcaddr=192.1.1.72 dstaddr=me dstport=80 description="1.72的80端口访问控制" protocol=TCP mirrored=yes——允许1.72访问80端口
6、5.创建策略规则
netsh ipsec static add rule name="deny-1net-ip-access" policy="249-WAN-IP" filterlist="blacklist" filteraction="阻止" desc=阻止1网段主机所有通信
netsh ipsec static add rule name="admit-1net-ip-access" filterlist="whitelist" filteraction="允许" policy="249-WAN-IP" desc=允许部分1网段主机80端口通信
7、6.激活策略
netsh ipsec static set policy name="249-WAN-IP" assign=y
由于添加白名单的ip比较多,将所有要添加的ip写在一个bat脚本里面,然后统一执行
