标题: 【66元】求助一个批量加IP安全策略的批处理程序 <脚本已分享>【已解决】 [打印本页]
作者: usebat 时间: 2019-7-12 14:45 标题: 【66元】求助一个批量加IP安全策略的批处理程序 <脚本已分享>【已解决】
本帖最后由 usebat 于 2019-7-17 12:22 编辑
具体报酬:66元RMB
支付方式:可支付宝,可银行转账
联系方式:2*9*8*4*9*3*1*6*2*3(去掉*号就是正确号码)
有效期限:2019年7月15日之前。
需求描述:
(1)系统环境:Windows Server 2012
(2)根据已知的IP,或者IP段来批量使用cmd命令来添加IP安全策略,最好可以自动从网上下载国内IP地址段来定期更新IP库
(3)测试数据及期待结果:希望做到国外IP地址无法访问服务器网站,只供国内访问(国内IP白名单,其余全封禁)
(4)这边可提供部分资源:IP地址获取地址,以及IP提取的部分批处理。
IP地址获取地址:http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest (通过关键字:CN,HK,MO来筛选出中国大陆,香港,澳门的相关IP)
以下为部分代码,可根据下载下来的TXT IP库来筛选出我们需要的白名单IP,具体格式可自组。IP范围部分可能有些不准确,该程序处理出来的数据有重合或者误杀白名单IP。- @echo off
- findstr /i "|CN|ipv4| |HK|ipv4| |MO|ipv4|" "C:\Users\Administrator\Desktop\cnip\delegated-apnic-latest.txt" > "C:\Users\Administrator\Desktop\cnip\rs\CNIP.txt"
- set "dataDir=C:\Users\Administrator\Desktop\cnip\rs\CNIP.txt"
- set "ip=C:\Users\Administrator\Desktop\cnip\rs\ip.txt"
-
- ::for /f "delims=| tokens=4" %%i in (%dataDir%) do echo %%i >> "C:\Users\Administrator\Desktop\cnip\rs\ips.txt"
-
- for /f "delims=| tokens=4" %%i in (%dataDir%) do (
- echo %%i > "C:\Users\Administrator\Desktop\cnip\rs\ip.txt"
- echo %%i
- set tmpip=%%i
- for /f "delims=. tokens=1,2,3" %%s in (%ip%) do (
- echo %%s %%t %%u
- if NOT %%t == 0 (
- if %%u == 0 (
- echo IP Range is %%i -- %%s.%%t.255.255 >> "C:\Users\Administrator\Desktop\cnip\rs\logs.txt"
- )else (
- echo IP Range is %%i -- %%s.%%t.%%u.255 >> "C:\Users\Administrator\Desktop\cnip\rs\logs.txt"
- )
- )else (
- echo IP Range is %%i -- %%s.255.255.255 >> "C:\Users\Administrator\Desktop\cnip\rs\logs.txt"
- )
- )
- )
-
- pause
复制代码
最后根据筛选出来的IP,我们可以通过cmd命令:netsh ipsec 来批量添加IP安全策略,由于搞不清楚如何加入IP段这块点,所以自己就放弃了,求教各位大佬。
至于netsh ipsec 命令相关详解,可参考:
https://www.cnblogs.com/cnxkey/articles/10374937.html
https://www.jb51.net/article/110692.htm
谢谢大家啦!!!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2019年7月17日 结贴
首先非常感谢:flashercs 非常的有耐心,并且中途也有给到我很多建议。尝试了无数次,他也耐心的改了无数次。
虽然最后测试出来的性能不佳,但是不关 flashercs 的问题。事实就是如此。最后本着共享精神,我把这次的代码
公布出来,分享给其他需要的人学习一下。flashercs 应该也会同意大家学习他的代码的。
这边直接公布脚本附件吧。代码比较长,占版面。 尝试上传附件,貌似有问题,只能直接发源代码了。- 0<1/*,:
- @echo off
- REM 脚本用于创建IPSec安全策略,阻止国外IP访问本地机器,必须以管理员身份运行
- REM 设置本地IP
- set localip="121.201.74.164"
- REM 创建netsh Script
- echo 正在更新IP列表...
- netsh ipsec static set policy name="policy1" assign=no
- cscript -nologo -e:jscript %0 %localip%
- echo 更新IP列表完成
- REM 执行netsh Script
- echo 正在设置IPSec策略
- netsh -f "%~dp0netshScript.txt"
- echo 设置IPSec策略完成
- pause
- exit /b
- */
- ;
- var xhr = (function () {
- var aXMLHttpVers = ['MSXML2.XMLHTTP.6.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP'];
- for (var i = 0; i < aXMLHttpVers.length; i++) {
- try {
- return WScript.CreateObject(aXMLHttpVers[i]);
- } catch (error) {}
- }
- return null;
- })();
- if (xhr === null) WScript.Quit(1);
- // var wshell = new ActiveXObject('WScript.Shell');
- var fso = new ActiveXObject('Scripting.FileSystemObject');
- var currDir = fso.GetParentFolderName(WScript.ScriptFullName);
- var ipfile = currDir + '\\ip.txt';
- var netshScript = currDir + '\\netshScript.txt'
- var re = /\|(?:CN|HK|MO)\|ipv4\|((?:\d+\.){3}\d+)\|(\d+)/g;
- // var tsWrite1 = fso.openTextFile(ipfile, 2, true, -2);
- var tsWrite2 = fso.openTextFile(netshScript, 2, true, -2);
- // initialize netshScript.txt
- tsWrite2.WriteLine('ipsec static');
- tsWrite2.WriteLine('set batch enable');
- // delete old policy policy1
- tsWrite2.WriteLine('delete rule name="_AllowRule" policy="policy1"');
- tsWrite2.WriteLine('delete rule name="_BlockRule" policy="policy1"');
- tsWrite2.WriteLine('delete filterlist name="WhiteList"');
- tsWrite2.WriteLine('delete filterlist name="OtherAddr"');
- tsWrite2.WriteLine('delete filteraction name="_Allow"');
- tsWrite2.WriteLine('delete filteraction name="_Disallow"');
- tsWrite2.WriteLine('delete policy name="policy1"');
- // add filterlist
- tsWrite2.WriteLine('add filterlist name="WhiteList" description="Allowed IP addresses"');
- tsWrite2.WriteLine('add filterlist name="OtherAddr" description="Other disallowed IP addresses"');
- // 更新IP列表, netsh脚本 netshScript.txt
- // add filters to filterlist WhiteList
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="User defined local IP address" srcaddr=' + WScript.Arguments(0) + ' dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="Gateway" srcaddr=GATEWAY dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="DNS" srcaddr=DNS dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="DHCP" srcaddr=DHCP dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="WINS" srcaddr=WINS dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="LAN" srcaddr=10.0.0.0 srcmask=8 dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="LAN" srcaddr=172.16.0.0 srcmask=12 dstaddr=me protocol=any mirrored=no');
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="LAN" srcaddr=192.168.0.0 srcmask=16 dstaddr=me protocol=any mirrored=no');
- var arrURL = [
- // 'http://ipblock.chacuo.net/down/t_txt=c_CN',
- // 'http://ipblock.chacuo.net/down/t_txt=c_HK',
- // 'http://ipblock.chacuo.net/down/t_txt=c_MO'
- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
- ];
- var arrReferer = [
- 'http://ipblock.chacuo.net/view/c_CN',
- 'http://ipblock.chacuo.net/view/c_HK',
- 'http://ipblock.chacuo.net/view/c_MO'
- ];
- var arrIP, str, exitCode = 0;
- for (var i = 0; i < arrURL.length; i++) {
- xhr.open('GET', arrURL[i], false); //CN,HK,MO
- // xhr.setRequestHeader('Referer', arrReferer[i]);
- xhr.send();
- if (xhr.status === 200) {
- str = xhr.responseText;
- // WScript.Echo(str);
- while (arrIP = re.exec(str)) {
- var ip = arrIP[1];
- var prefix = 32 - Math.log(+arrIP[2]) / Math.log(2);
- tsWrite2.WriteLine('add filter filterlist="WhiteList" description="CNIP" srcaddr=' + ip + ' srcmask=' + prefix + ' dstaddr=me protocol=any mirrored=no');
- }
- } else {
- exitCode++;
- WScript.Echo('Download "' + arrURL[i] + '" failed.Status:' + xhr.status);
- }
- }
- // add filters to filterlist OtherAddr
- tsWrite2.WriteLine('add filter filterlist="OtherAddr" description="ALL" srcaddr=any dstaddr=me protocol=any mirrored=no');
- // add filteraction permit
- tsWrite2.WriteLine('add filteraction name="_Allow" description="Allow connect" action=permit');
- // add filteraction block
- tsWrite2.WriteLine('add filteraction name="_Disallow" description="Disallow connect" action=block');
- // add policy
- tsWrite2.WriteLine('add policy name="policy1" description="policy1"');
- // add rule
- tsWrite2.WriteLine('add rule name="_AllowRule" description="Allow WhiteList to connect to local machine" policy="policy1" filterlist="WhiteList" filteraction="_Allow" activate=yes');
- tsWrite2.WriteLine('add rule name="_BlockRule" description="Block others to connect to local machine" policy="policy1" filterlist="OtherAddr" filteraction="_Disallow" activate=yes');
- // tsWrite2.WriteLine('delete filterlist name="WhiteList"'); //先删除原来的IP列表; filterlist被占用时无法被删除的
- // tsWrite2.WriteLine('add filterlist name="WhiteList" description="允许访问本地服务器的IP列表"'); //再创建新的IP列表
- // activate policy1
- tsWrite2.WriteLine('set policy name="policy1" assign=yes');
- // tsWrite1.close();
- tsWrite2.close();
- WScript.Quit(exitCode);
复制代码
作者: flashercs 时间: 2019-7-12 22:52
- 0<1/*,:
- @echo off
- REM 脚本用于创建IPSec安全策略,阻止国外IP访问本地机器,必须以管理员身份运行
- REM 创建netsh Script
- cscript -nologo -e:jscript %0
- REM 执行netsh Script
- netsh -f "%~dp0netshScript.txt"
- pause
- exit /b
- */
- ;
- var xhr = (function () {
- var aXMLHttpVers = ['MSXML2.XMLHTTP.6.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP'];
- for (var i = 0; i < aXMLHttpVers.length; i++) {
- try {
- return WScript.CreateObject(aXMLHttpVers[i]);
- } catch (error) {}
- }
- return null;
- })();
- if (xhr === null) WScript.Quit(1);
- var wshell = new ActiveXObject('WScript.Shell');
- var fso = new ActiveXObject('Scripting.FileSystemObject');
- var currDir = fso.GetParentFolderName(WScript.ScriptFullName);
- var ipfile = currDir + '\\ip.txt';
- var netshScript = currDir + '\\netshScript.txt'
- xhr.onReadystateChange = function () {
- if (xhr.readyState == 4) {
- var re = /\|(?:CN|HK|MO)\|ipv4\|((?:\d+\.){3}\d+)\|(\d+)/g;
- var str = xhr.responseText;
- var arrIP;
- var tsWrite1 = fso.openTextFile(ipfile, 2, true, -2);
- var tsWrite2 = fso.openTextFile(netshScript, 2, true, -2);
- // initialize netshScript.txt
- tsWrite2.WriteLine('ipsec static');
- tsWrite2.WriteLine('set batch enable');
- // delete old policy policy1
- tsWrite2.WriteLine('delete policy name="policy1"');
- // add filterlist
- tsWrite2.WriteLine('add filterlist name="白名单" description="允许访问本地服务器的IP列表"');
- tsWrite2.WriteLine('add filterlist name="所有地址" description="所有IP列表"');
- // 更新IP列表, netsh脚本 netshScript.txt
- // add filters to filterlist 白名单
- while (arrIP = re.exec(str)) {
- var ip = arrIP[1];
- var prefix = 32 - Math.log(+arrIP[2]) / Math.log(2);
- tsWrite1.WriteLine(ip + '/' + prefix);
- tsWrite2.WriteLine('add filter filterlist="白名单" description="CNIP" srcaddr=' + ip + ' srcmask=' + prefix + ' dstaddr=me protocol=any mirrored=yes');
- }
- // add filters to filterlist 所有地址
- tsWrite2.WriteLine('add filter filterlist="所有地址" description="ALL" srcaddr=any dstaddr=me protocol=any mirrored=yes');
- // add filteraction permit
- tsWrite2.WriteLine('add filteraction name="允许" description="允许访问" action=permit');
- // add filteraction block
- tsWrite2.WriteLine('add filteraction name="阻止" description="禁止访问" action=block');
- // add policy
- tsWrite2.WriteLine('add policy name="policy1" description="policy1"');
- // add rule
- tsWrite2.WriteLine('add rule name="允许规则" description="允许白名单访问规则" policy="policy1" filterlist="白名单" filteraction="允许" activate=yes');
- tsWrite2.WriteLine('add rule name="阻止规则" description="禁止所有IP访问规则" policy="policy1" filterlist="所有地址" filteraction="阻止" activate=yes');
- // tsWrite2.WriteLine('delete filterlist name="白名单"'); //先删除原来的IP列表; filterlist被占用时无法被删除的
- // tsWrite2.WriteLine('add filterlist name="白名单" description="允许访问本地服务器的IP列表"'); //再创建新的IP列表
- // activate policy1
- tsWrite2.WriteLine('set policy name="policy1" assign=yes');
- tsWrite1.close();
- tsWrite2.close();
- WScript.Quit();
- }
- };
-
- var url = 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'; //更新IP地址库的来源网址
- xhr.open('GET', url, true);
- xhr.send();
-
- while (true) {
- WScript.Sleep(100);
- }
复制代码
作者: usebat 时间: 2019-7-13 11:01
回复 2# flashercs
好的,非常感谢您的支持,我这边测试一下,没问题的话,马上联系您转账。
欢迎光临 批处理之家 (http://bathome.net./) |
Powered by Discuz! 7.2 |