[新手上路]批处理新手入门导读[视频教程]批处理基础视频教程[视频教程]VBS基础视频教程[批处理精品]批处理版照片整理器
[批处理精品]纯批处理备份&还原驱动[批处理精品]CMD命令50条不能说的秘密[在线下载]第三方命令行工具[在线帮助]VBScript / JScript 在线参考
返回列表 发帖

【66元】求助一个批量加IP安全策略的批处理程序 <脚本已分享>【已解决】

本帖最后由 usebat 于 2019-7-17 12:22 编辑

具体报酬:66元RMB
支付方式:可支付宝,可银行转账
联系方式:2*9*8*4*9*3*1*6*2*3(去掉*号就是正确号码)
有效期限:2019年7月15日之前。
需求描述:
(1)系统环境:Windows Server 2012
(2)根据已知的IP,或者IP段来批量使用cmd命令来添加IP安全策略,最好可以自动从网上下载国内IP地址段来定期更新IP库
(3)测试数据及期待结果:希望做到国外IP地址无法访问服务器网站,只供国内访问(国内IP白名单,其余全封禁)
(4)这边可提供部分资源:IP地址获取地址,以及IP提取的部分批处理。

IP地址获取地址:http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest  (通过关键字:CN,HK,MO来筛选出中国大陆,香港,澳门的相关IP)

以下为部分代码,可根据下载下来的TXT IP库来筛选出我们需要的白名单IP,具体格式可自组。IP范围部分可能有些不准确,该程序处理出来的数据有重合或者误杀白名单IP。
  1. @echo off
  2. findstr /i "|CN|ipv4| |HK|ipv4| |MO|ipv4|" "C:\Users\Administrator\Desktop\cnip\delegated-apnic-latest.txt" > "C:\Users\Administrator\Desktop\cnip\rs\CNIP.txt"
  3. set "dataDir=C:\Users\Administrator\Desktop\cnip\rs\CNIP.txt"
  4. set "ip=C:\Users\Administrator\Desktop\cnip\rs\ip.txt"
  5. ::for /f "delims=| tokens=4" %%i in (%dataDir%) do echo %%i >> "C:\Users\Administrator\Desktop\cnip\rs\ips.txt"
  6. for /f "delims=| tokens=4" %%i in (%dataDir%) do (
  7. echo %%i > "C:\Users\Administrator\Desktop\cnip\rs\ip.txt"
  8. echo %%i
  9. set tmpip=%%i
  10. for  /f "delims=. tokens=1,2,3" %%s in (%ip%) do (
  11. echo %%s %%t %%u
  12. if NOT %%t == 0 (
  13. if %%u == 0 (
  14. echo IP Range is %%i -- %%s.%%t.255.255 >> "C:\Users\Administrator\Desktop\cnip\rs\logs.txt"
  15. )else (
  16. echo IP Range is %%i -- %%s.%%t.%%u.255 >> "C:\Users\Administrator\Desktop\cnip\rs\logs.txt"
  17. )
  18. )else (
  19. echo IP Range is %%i -- %%s.255.255.255 >> "C:\Users\Administrator\Desktop\cnip\rs\logs.txt"
  20. )
  21. )
  22. )
  23. pause
复制代码
最后根据筛选出来的IP,我们可以通过cmd命令:netsh ipsec  来批量添加IP安全策略,由于搞不清楚如何加入IP段这块点,所以自己就放弃了,求教各位大佬。

至于netsh ipsec 命令相关详解,可参考:
https://www.cnblogs.com/cnxkey/articles/10374937.html
https://www.jb51.net/article/110692.htm

谢谢大家啦!!!



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2019年7月17日 结贴

首先非常感谢:flashercs   非常的有耐心,并且中途也有给到我很多建议。尝试了无数次,他也耐心的改了无数次。

虽然最后测试出来的性能不佳,但是不关 flashercs  的问题。事实就是如此。最后本着共享精神,我把这次的代码

公布出来,分享给其他需要的人学习一下。flashercs  应该也会同意大家学习他的代码的。

这边直接公布脚本附件吧。代码比较长,占版面。 尝试上传附件,貌似有问题,只能直接发源代码了。
  1. 0<1/*,:
  2. @echo off
  3. REM 脚本用于创建IPSec安全策略,阻止国外IP访问本地机器,必须以管理员身份运行
  4. REM 设置本地IP
  5. set localip="121.201.74.164"
  6. REM 创建netsh Script
  7. echo 正在更新IP列表...
  8. netsh ipsec static set policy name="policy1" assign=no
  9. cscript -nologo -e:jscript %0 %localip%
  10. echo 更新IP列表完成
  11. REM 执行netsh Script
  12. echo 正在设置IPSec策略
  13. netsh -f "%~dp0netshScript.txt"
  14. echo 设置IPSec策略完成
  15. pause
  16. exit /b
  17. */
  18. ;
  19. var xhr = (function () {
  20.   var aXMLHttpVers = ['MSXML2.XMLHTTP.6.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP'];
  21.   for (var i = 0; i < aXMLHttpVers.length; i++) {
  22.     try {
  23.       return WScript.CreateObject(aXMLHttpVers[i]);
  24.     } catch (error) {}
  25.   }
  26.   return null;
  27. })();
  28. if (xhr === null) WScript.Quit(1);
  29. // var wshell = new ActiveXObject('WScript.Shell');
  30. var fso = new ActiveXObject('Scripting.FileSystemObject');
  31. var currDir = fso.GetParentFolderName(WScript.ScriptFullName);
  32. var ipfile = currDir + '\\ip.txt';
  33. var netshScript = currDir + '\\netshScript.txt'
  34. var re = /\|(?:CN|HK|MO)\|ipv4\|((?:\d+\.){3}\d+)\|(\d+)/g;
  35. // var tsWrite1 = fso.openTextFile(ipfile, 2, true, -2);
  36. var tsWrite2 = fso.openTextFile(netshScript, 2, true, -2);
  37. // initialize netshScript.txt
  38. tsWrite2.WriteLine('ipsec static');
  39. tsWrite2.WriteLine('set batch enable');
  40. // delete old policy policy1
  41. tsWrite2.WriteLine('delete rule name="_AllowRule" policy="policy1"');
  42. tsWrite2.WriteLine('delete rule name="_BlockRule" policy="policy1"');
  43. tsWrite2.WriteLine('delete filterlist name="WhiteList"');
  44. tsWrite2.WriteLine('delete filterlist name="OtherAddr"');
  45. tsWrite2.WriteLine('delete filteraction name="_Allow"');
  46. tsWrite2.WriteLine('delete filteraction name="_Disallow"');
  47. tsWrite2.WriteLine('delete policy name="policy1"');
  48. // add filterlist
  49. tsWrite2.WriteLine('add filterlist name="WhiteList" description="Allowed IP addresses"');
  50. tsWrite2.WriteLine('add filterlist name="OtherAddr" description="Other disallowed IP addresses"');
  51. // 更新IP列表, netsh脚本 netshScript.txt
  52. // add filters to filterlist WhiteList
  53. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="User defined local IP address" srcaddr=' + WScript.Arguments(0) + ' dstaddr=me protocol=any mirrored=no');
  54. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="Gateway" srcaddr=GATEWAY dstaddr=me protocol=any mirrored=no');
  55. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="DNS" srcaddr=DNS dstaddr=me protocol=any mirrored=no');
  56. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="DHCP" srcaddr=DHCP dstaddr=me protocol=any mirrored=no');
  57. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="WINS" srcaddr=WINS dstaddr=me protocol=any mirrored=no');
  58. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="LAN" srcaddr=10.0.0.0 srcmask=8 dstaddr=me protocol=any mirrored=no');
  59. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="LAN" srcaddr=172.16.0.0 srcmask=12 dstaddr=me protocol=any mirrored=no');
  60. tsWrite2.WriteLine('add filter filterlist="WhiteList" description="LAN" srcaddr=192.168.0.0 srcmask=16 dstaddr=me protocol=any mirrored=no');
  61. var arrURL = [
  62.   // 'http://ipblock.chacuo.net/down/t_txt=c_CN',
  63.   // 'http://ipblock.chacuo.net/down/t_txt=c_HK',
  64.   // 'http://ipblock.chacuo.net/down/t_txt=c_MO'
  65.   'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
  66. ];
  67. var arrReferer = [
  68.   'http://ipblock.chacuo.net/view/c_CN',
  69.   'http://ipblock.chacuo.net/view/c_HK',
  70.   'http://ipblock.chacuo.net/view/c_MO'
  71. ];
  72. var arrIP, str, exitCode = 0;
  73. for (var i = 0; i < arrURL.length; i++) {
  74.   xhr.open('GET', arrURL[i], false); //CN,HK,MO
  75.   // xhr.setRequestHeader('Referer', arrReferer[i]);
  76.   xhr.send();
  77.   if (xhr.status === 200) {
  78.     str = xhr.responseText;
  79.     // WScript.Echo(str);
  80.     while (arrIP = re.exec(str)) {
  81.       var ip = arrIP[1];
  82.       var prefix = 32 - Math.log(+arrIP[2]) / Math.log(2);
  83.       tsWrite2.WriteLine('add filter filterlist="WhiteList" description="CNIP" srcaddr=' + ip + ' srcmask=' + prefix + ' dstaddr=me protocol=any mirrored=no');
  84.     }
  85.   } else {
  86.     exitCode++;
  87.     WScript.Echo('Download "' + arrURL[i] + '" failed.Status:' + xhr.status);
  88.   }
  89. }
  90. // add filters to filterlist OtherAddr
  91. tsWrite2.WriteLine('add filter filterlist="OtherAddr" description="ALL" srcaddr=any dstaddr=me protocol=any mirrored=no');
  92. // add filteraction permit
  93. tsWrite2.WriteLine('add filteraction name="_Allow" description="Allow connect" action=permit');
  94. // add filteraction block
  95. tsWrite2.WriteLine('add filteraction name="_Disallow" description="Disallow connect" action=block');
  96. // add policy
  97. tsWrite2.WriteLine('add policy name="policy1" description="policy1"');
  98. // add rule
  99. tsWrite2.WriteLine('add rule name="_AllowRule" description="Allow WhiteList to connect to local machine" policy="policy1" filterlist="WhiteList" filteraction="_Allow" activate=yes');
  100. tsWrite2.WriteLine('add rule name="_BlockRule" description="Block others to connect to local machine" policy="policy1" filterlist="OtherAddr" filteraction="_Disallow" activate=yes');
  101. // tsWrite2.WriteLine('delete filterlist name="WhiteList"'); //先删除原来的IP列表; filterlist被占用时无法被删除的
  102. // tsWrite2.WriteLine('add filterlist name="WhiteList" description="允许访问本地服务器的IP列表"'); //再创建新的IP列表
  103. // activate policy1
  104. tsWrite2.WriteLine('set policy name="policy1" assign=yes');
  105. // tsWrite1.close();
  106. tsWrite2.close();
  107. WScript.Quit(exitCode);
复制代码

回复 2# flashercs

好的,非常感谢您的支持,我这边测试一下,没问题的话,马上联系您转账。

TOP

  1. 0<1/*,:
  2. @echo off
  3. REM 脚本用于创建IPSec安全策略,阻止国外IP访问本地机器,必须以管理员身份运行
  4. REM 创建netsh Script
  5. cscript -nologo -e:jscript %0
  6. REM 执行netsh Script
  7. netsh -f "%~dp0netshScript.txt"
  8. pause
  9. exit /b
  10. */
  11. ;
  12. var xhr = (function () {
  13.   var aXMLHttpVers = ['MSXML2.XMLHTTP.6.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP'];
  14.   for (var i = 0; i < aXMLHttpVers.length; i++) {
  15.     try {
  16.       return WScript.CreateObject(aXMLHttpVers[i]);
  17.     } catch (error) {}
  18.   }
  19.   return null;
  20. })();
  21. if (xhr === null) WScript.Quit(1);
  22. var wshell = new ActiveXObject('WScript.Shell');
  23. var fso = new ActiveXObject('Scripting.FileSystemObject');
  24. var currDir = fso.GetParentFolderName(WScript.ScriptFullName);
  25. var ipfile = currDir + '\\ip.txt';
  26. var netshScript = currDir + '\\netshScript.txt'
  27. xhr.onReadystateChange = function () {
  28.   if (xhr.readyState == 4) {
  29.     var re = /\|(?:CN|HK|MO)\|ipv4\|((?:\d+\.){3}\d+)\|(\d+)/g;
  30.     var str = xhr.responseText;
  31.     var arrIP;
  32.     var tsWrite1 = fso.openTextFile(ipfile, 2, true, -2);
  33.     var tsWrite2 = fso.openTextFile(netshScript, 2, true, -2);
  34.     // initialize netshScript.txt
  35.     tsWrite2.WriteLine('ipsec static');
  36.     tsWrite2.WriteLine('set batch enable');
  37.     // delete old policy policy1
  38.     tsWrite2.WriteLine('delete policy name="policy1"');
  39.     // add filterlist
  40.     tsWrite2.WriteLine('add filterlist name="白名单" description="允许访问本地服务器的IP列表"');
  41.     tsWrite2.WriteLine('add filterlist name="所有地址" description="所有IP列表"');
  42.     // 更新IP列表, netsh脚本 netshScript.txt
  43.     // add filters to filterlist 白名单
  44.     while (arrIP = re.exec(str)) {
  45.       var ip = arrIP[1];
  46.       var prefix = 32 - Math.log(+arrIP[2]) / Math.log(2);
  47.       tsWrite1.WriteLine(ip + '/' + prefix);
  48.       tsWrite2.WriteLine('add filter filterlist="白名单" description="CNIP" srcaddr=' + ip + ' srcmask=' + prefix + ' dstaddr=me protocol=any mirrored=yes');
  49.     }
  50.     // add filters to filterlist 所有地址
  51.     tsWrite2.WriteLine('add filter filterlist="所有地址" description="ALL" srcaddr=any dstaddr=me protocol=any mirrored=yes');
  52.     // add filteraction permit
  53.     tsWrite2.WriteLine('add filteraction name="允许" description="允许访问" action=permit');
  54.     // add filteraction block
  55.     tsWrite2.WriteLine('add filteraction name="阻止" description="禁止访问" action=block');
  56.     // add policy
  57.     tsWrite2.WriteLine('add policy name="policy1" description="policy1"');
  58.     // add rule
  59.     tsWrite2.WriteLine('add rule name="允许规则" description="允许白名单访问规则" policy="policy1" filterlist="白名单" filteraction="允许" activate=yes');
  60.     tsWrite2.WriteLine('add rule name="阻止规则" description="禁止所有IP访问规则" policy="policy1" filterlist="所有地址" filteraction="阻止" activate=yes');
  61.     // tsWrite2.WriteLine('delete filterlist name="白名单"'); //先删除原来的IP列表; filterlist被占用时无法被删除的
  62.     // tsWrite2.WriteLine('add filterlist name="白名单" description="允许访问本地服务器的IP列表"'); //再创建新的IP列表
  63.     // activate policy1
  64.     tsWrite2.WriteLine('set policy name="policy1" assign=yes');
  65.     tsWrite1.close();
  66.     tsWrite2.close();
  67.     WScript.Quit();
  68.   }
  69. };
  70. var url = 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'; //更新IP地址库的来源网址
  71. xhr.open('GET', url, true);
  72. xhr.send();
  73. while (true) {
  74.   WScript.Sleep(100);
  75. }
复制代码
微信:flashercs
QQ:49908356

TOP

返回列表