본문 바로가기

Server Story..../Windows Server

IPSec 설정 스크립트

IPSec 설정 스크립트
( 옆동네 에서 퍼옴, )

윈도우즈 서버의 IPSec설정은 관리도구 > Local Security Policy 또는 관리도구 > Domain Security Policy 를 이용해서 설정할 수 있습니다.

하지만 서버가 많아지는 경우 각각의 서버마다 IPSec이 다르게 적용되는 경우 일일이 처리할 수 없게 됩니다. 이 경우 아래처럼 스크립트를 만들어서 도스창에서 실행해 주면 적용됩니다.
Domain 으로 묶여 있는 경우 Domain Security Policy 에서 생성한 뒤에 해당 서버에서 gpupdate란 명령을 커맨드 쉘에서 실행하면 적용됩니다. 만약 이렇게 설정한 경우는 설정을 마치고 해당 서버에 원격접속으로 들어간 뒤에 커맨드창을 띄우고 gpupdate /force를 입력해줘야 합니다. 그렇지 않으면 일정주기가 지나야 Ipsec이 적용되죠.

단일 서버인 경우는 Local Security Policy에서 설정하면 되구요.
이것은 윈도우2003에서만 가능하다고 합니다.

아래 스크립트는 text파일로 저장한 뒤에 netsh exec <filename> 의 형식으로 커맨드 쉘에서 실행하면 됩니다. 자세한 설명은 밑에 주석에 있습니다. ^^
모르면 물어보세요~

IPSec이 제대로 적용되었는지를 확인할 경우 커맨드쉘을 띄운다음에 포트를 확인합니다.
만약 RDP로 접속이 잘 되는지 체크할려면 다음을 입력합니다.
telnet www.littleworld.net 3389
이 때 화면이 다 지워지면 제대로 접속이 되는 것입니다. 만약 안지워지면 IPSec으로 막혀있다는 얘기가 됩니다. RDP는 3389포트를 사용하죠. DB접속을 테스트하려면 1433을 입력하면 되구요. 만약 DB포트를 바꿨다면 바꾼 포트번호를 적으면 됩니다.

그리고 아래 스크립트는 제가 만든게 아닙니다 -ㅅ-;; 부장님 슬쩍 퍼와서 죄송합니당~~

* UDP 53과 TCP 53은 DNS용 설정입니다. 풀어주지 않으면 브라우저에서 Domain을 입력해도 사이트를 찾을 수 없습니다.

################################################################################
# Sample IpSec script for Windows 2003 by inho, 2005/07/22
# You can execute this script with
# netsh exec <file name>
# NOTE! this policy is not assigned by default. You should assign this policy manually.
# Modified by Lowy Shin. 2005/11/17
################################################################################

################################################################################
# Specify store. If you are using domain, specify location=domain
################################################################################

ipsec static set store location=local
#ipsec static set store location=domain

################################################################################
# Add a policy.
# You can assign this policy automatically with specifying assign=yes.
# NOTE! If you do it, existing policy is disabled.
# So you shoud not if you don't understand what you are doing.
################################################################################

ipsec static add policy name=lwPolicy activatedefaultrule=yes assign=no

################################################################################
# Add filterlists.
################################################################################

ipsec static add filterlist name=Littleworld
ipsec static add filterlist name=SvrManager
ipsec static add filterlist name=Local
ipsec static add filterlist name=BlockPort

################################################################################
# Add filteractions.
################################################################################

ipsec static add filteraction name=Permit action=permit
ipsec static add filteraction name=Block action=block

################################################################################
# Add filters to each filterlist.
################################################################################

# Littleworld FiliterList (Permit All)
ipsec static add filter filterlist=Littleworld srcaddr=me dstaddr=100.100.100.1 dstmask=255.255.255.248 protocol=ANY mirrored=yes

# SvrManager FilterList
ipsec static add filter filterlist=SvrManager srcaddr=me dstaddr=100.100.100.2 dstmask=255.255.255.255 protocol=ANY mirrored=yes
ipsec static add filter filterlist=SvrManager srcaddr=me dstaddr=100.100.101.0 dstmask=255.255.255.0 protocol=ANY mirrored=yes
ipsec static add filter filterlist=SvrManager srcaddr=me dstaddr=100.100.102.0 dstmask=255.255.255.0 protocol=ANY mirrored=yes

# Local (Local IP Block)
ipsec static add filter filterlist=Local srcaddr=me dstaddr=192.168.1.0 dstmask=255.255.255.0 protocol=ANY mirrored=yes
ipsec static add filter filterlist=Local srcaddr=me dstaddr=192.168.2.0 dstmask=255.255.255.0 protocol=ANY mirrored=yes

# Block RPC
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=135 dstaddr=ANY protocol=TCP mirrored=yes

# Block SMB
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=445 dstaddr=ANY protocol=TCP mirrored=yes
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=445 dstaddr=ANY protocol=UDP mirrored=yes

# Block Terminal
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=3389 dstaddr=ANY protocol=TCP mirrored=yes

# Block NetBT
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=139 dstaddr=ANY protocol=TCP mirrored=yes
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=137 dstaddr=ANY protocol=UDP mirrored=yes
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=138 dstaddr=ANY protocol=UDP mirrored=yes

# Block PPTP (VPN)
ipsec static add filter filterlist=BlockPort srcaddr=me dstaddr=ANY protocol=47 mirrored=yes
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=1723 dstaddr=ANY protocol=TCP mirrored=yes

# Block FTP
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=21 dstaddr=ANY protocol=TCP mirrored=yes

# Block Telnet/SSH
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=22 dstaddr=ANY protocol=TCP mirrored=yes
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=23 dstaddr=ANY protocol=TCP mirrored=yes

# Block SMTP
ipsec static add filter filterlist=BlockPort srcaddr=me srcport=25 dstaddr=ANY protocol=TCP mirrored=yes

################################################################################
# Add rules to the policy with each filterlist and filteraction.
################################################################################

ipsec static add rule name=1 policy=lwPolicy filter=Littleworld filteraction=Permit
ipsec static add rule name=2 policy=lwPolicy filter=Local filteraction=Permit
ipsec static add rule name=3 policy=lwPolicy filter=SvrManager filteraction=Permit
ipsec static add rule name=6 policy=lwPolicy filter=BlockPort filteraction=Block

참고로 IPSec서비스를 리스타트 하려면 다음을 입력합니다.
net stop policyagent & net start policyagent


원문 : http://magic.littleworld.net/ai/kmod.asp?no=707&isn=585&mymsg=ipsec