본문 바로가기

Server Story..../Windows Server

windows 2003 ipsec command with AD

windows 2003 에서  ipsec 을 통한 방화벽 구성을 하기위해서는 아래와 같이 지정하면 된다.
뭐 세부 사항은 알아서 공부 하고,

중요한점은 ad 상일때 이다.  

모두 적용한뒤   바로 정책 적용을 하려면  아니 바로 정책을 내려 받으려면 

gpupdate /force 를 해야 한다. ㅠ.ㅠ 닝기리....

AD 상일때는  도메인 으로 저장소를 바꾸어야 하므로,  bat 파일을 만들고,
다른 bat 파일을 만들어서  아래 내용이 담긴 파일을 호출해야 한다.

netsh exec  호출할 절대경로의 파일이름.

이런식으로 배치파일을 만든다.


그리고 도움말이 필요하면  netsh 를 치면 나온다...  

######################################################################################
##############  필터 이름 생성 및  필터 목록 생성 inbound 부분 ####################################
######################################################################################

# 도메인 으로 저장소 지정 ( 로컬로 하려면 local 로 하면됨.)
ipsec static set store location=domain domain=eplan.co.kr
# 필터이름 지정
ipsec static add filterlist name=inbound_filterlist description=inboundfilterlist
# tcp 부분 port 오픈
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=80 description=tcp_80_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=53  description=tcp_53_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=135 description=tcp_135_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1025 description=tcp_1025_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1035 description=tcp_1035_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1034 description=tcp_1034_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1200 description=tcp_rpc_1200_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1201 description=tcp_rpc_1201_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1202 description=tcp_rpc_1202_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1203 description=tcp_rpc_1203_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1204 description=tcp_rpc_1204_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1205 description=tcp_rpc_1205_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1206 description=tcp_rpc_1206_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1207 description=tcp_rpc_1207_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1208 description=tcp_rpc_1208_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1209 description=tcp_rpc_1209_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1210 description=tcp_rpc_1210_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1211 description=tcp_rpc_1211_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1212 description=tcp_rpc_1212_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1213 description=tcp_rpc_1213_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1214 description=tcp_rpc_1214_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1215 description=tcp_rpc_1215_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1216 description=tcp_rpc_1216_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1217 description=tcp_rpc_1217_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1218 description=tcp_rpc_1218_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1219 description=tcp_rpc_1219_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1220 description=tcp_rpc_1220_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1221 description=tcp_rpc_1221_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1222 description=tcp_rpc_1222_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1223 description=tcp_rpc_1223_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1224 description=tcp_rpc_1224_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1225 description=tcp_rpc_1225_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1226 description=tcp_rpc_1226_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1227 description=tcp_rpc_1227_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1228 description=tcp_rpc_1228_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1229 description=tcp_rpc_1229_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1230 description=tcp_rpc_1230_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1231 description=tcp_rpc_1231_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1232 description=tcp_rpc_1232_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1233 description=tcp_rpc_1233_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1234 description=tcp_rpc_1234_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1235 description=tcp_rpc_1235_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1236 description=tcp_rpc_1236_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1237 description=tcp_rpc_1237_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1238 description=tcp_rpc_1238_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1239 description=tcp_rpc_1239_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1240 description=tcp_rpc_1240_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1241 description=tcp_rpc_1241_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1242 description=tcp_rpc_1242_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1243 description=tcp_rpc_1243_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1244 description=tcp_rpc_1244_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1245 description=tcp_rpc_1245_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1246 description=tcp_rpc_1246_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1247 description=tcp_rpc_1247_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1248 description=tcp_rpc_1248_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1249 description=tcp_rpc_1249_open
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=1250 description=tcp_rpc_1250_open

# udp 포트 오픈
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=udp dstport=53 description=udp_dns_53_open

# remote 포트 오픈
ipsec static add filter filterlist=inbound_filterlist srcaddr=any dstaddr=me protocol=tcp dstport=3389 description=udp_dns_3389_open


#################################################################################################
######################  필터 동작 모드추가   block 등 #####################################################
#################################################################################################
ipsec static add filteraction name=block description=block action=block


##################################################################################################
#############################  룰 및 정책 생성 하고 연결 및 활성화 #########################################
##################################################################################################

ipsec static add policy name=serverpolicy description=serverpolicy activatedefaultrule=y assign=y
ipsec static add rule name=serverrule policy=serverpolicy description=serverrule conntype=all activate=yes kerberos=yes filterlist=inbound_filterlist filteraction=Permit
ipsec static set policy name=serverpolicy gponame="Default Domain Policy" assign=yes

##################################################################################################


ipsec static add filterlist name=inbound_filterlist_block description=inboundfilterlist_block
ipsec static add filter filterlist=inbound_filterlist_block srcaddr=any dstaddr=me protocol=any description=all_inbound_block
ipsec static add rule name=serverblockrule policy=serverpolicy description=serverblockrule conntype=all activate=yes kerberos=yes filterlist=inbound_filterlist_block filteraction=block