Windows server 2003設置IP安全策略批處理腳本[轉載]

本文轉載自：http://moneypy.blog.51cto.com/745631/329461

常用端口
20 ftp傳送端口
21 ftp控制端口
53 nds服務端口tcp/utp
80 web服務端口
161 snmp服務端口
1433 mssql
3306 mysql
3389 遠程連接

#=====================腳本開始=====================
netsh ipsec static add policy name="10互聯默認ip策略" description="本地可以上網,並開放常用端口."
#=====================添加策略允許雙向ping=============
    netsh ipsec static add filter filterlist="所有 ICMP 通訊" srcaddr=me srcmask=255.255.255.255 dstaddr=Any protocol=ICMP
    netsh ipsec static add rule name="所有 ICMP 通訊" policy="10互聯默認ip策略" filterlist="所有 ICMP 通訊"  filteraction="許可"
#=====================添加2個動作，block和permit(拒絕和允許)==
netsh ipsec static add filteraction name=Permit action=permit
netsh ipsec static add filteraction name=Block action=block
#===開放某些IP無限制訪問任何的端口(UnLimitedIP)ip爲125.76.233.185可以訪問服務器的任何的端口===
netsh ipsec static add filterlist name=UnLimitedIP description="開放某些IP無限制訪問任何的端口"
netsh ipsec static add filter filterlist=UnLimitedIP srcaddr=125.76.233.185 dstaddr=Me
netsh ipsec static add rule name=AllowUnLimitedIP policy="10互聯默認ip策略" filterlist=UnLimitedIP filteraction=Permit
#===開放某些ip可以訪問某些端口(SomeIPSomePort)ip爲125.76.233.185可以訪問3389端口,自己可以上網用到對方的80和53端口
netsh ipsec static add filterlist name=SomeIPSomePort description="開放某些ip可以訪問某些端口"
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=80 protocol=TCP
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=53 protocol=UDP
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=Me dstaddr=Any dstport=53 protocol=TCP   
netsh ipsec static add filter filterlist=SomeIPSomePort srcaddr=125.76.233.185 dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static add rule name=AllowSomeIPSomePort policy="10互聯默認ip策略" filterlist=SomeIPSomePort filteraction=Permit
#===開放一些服務需要的端口(OpenSomePort)所有的端口可以是用網站+ftp+遠程服務=====================
netsh ipsec static add filterlist name=OpenSomePort description="開放一些服務需要的端口"
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=20 protocol=TCP
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=21 protocol=TCP
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=80 protocol=TCP
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=1433 protocol=TCP
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3306 protocol=TCP
netsh ipsec static add filter filterlist=OpenSomePort srcaddr=Any dstaddr=Me dstport=3389 protocol=TCP
netsh ipsec static add rule name=AllowOpenSomePort policy="10互聯默認ip策略" filterlist=OpenSomePort filteraction=Permit
#===禁止所有訪問(AllAccess)=====================
netsh ipsec static add filterlist name=AllAccess
netsh ipsec static add filter filterlist=AllAccess srcaddr=Me dstaddr=Any
netsh ipsec static add rule name=BlockAllAccess policy="10互聯默認ip策略" filterlist=AllAccess filteraction=Block
#===激活這個策略=====================
netsh ipsec static set policy name="10互聯默認ip策略" assign=y