Board logo

标题: 批处理结合IPSec策略制作windows防火墙 [打印本页]
作者: lxzzr     时间: 2008-9-9 11:28    标题: 批处理结合IPSec策略制作windows防火墙

能否用批处理结合IPSec策略制作windows防火墙?
我的代码如下:
@echo off
setlocal enabledelayedexpansion
set dat=%date:~0,10% %time:~0,5%
if not exist temp md temp & echo 创建时间: %dat%>temp\lxz.log

wmic SERVICE where "Name='policyagent'" call ChangeStartMode >nul 2>nul
wmic Service where name="policyagent" call stopservice >nul 2>nul
wmic Service where name="policyagent" call startservice|find /i "ReturnValue = 0;" ||echo policyagent服务成功无法启动,程序退出! >>temp\lxz.log&&exit
echo %date:~0,10% %time:~0,5%  启动IPSEC服务..........成功! >>temp\lxz.log

if not exist %windir%\system32\WSHom.Ocx echo WSHom.Ocx文件丢失,程序退出! >>temp\lxz.log&&exit
if not exist %windir%\system32\find.exe echo find.exe文件丢失,程序退出! >>temp\lxz.log&&exit
if not exist ipseccmd.exe echo ipseccmd.exe文件丢失,程序退出! >>temp\lxz.log&&exit
if not exist ipseckill.exe echo ipseckill.exe文件丢失,程序退出! >>temp\lxz.log&&exit
if not exist %windir%\system32\cscript.exe echo cscript.exe文件丢失,程序退出! >>temp\lxz.log&&exit
echo %date:~0,10% %time:~0,5%  文件完整性检测.........完毕! >>temp\lxz.log

regsvr32 %windir%\system32\WSHom.Ocx /s
echo %date:~0,10% %time:~0,5%  启动程序...............成功! >>temp\lxz.log

echo MsgBox"防火墙成功启动!",64,"提示!">>temp\ok.vbs
call temp\ok.vbs
del temp\ok.vbs /q
wmic process where name='IPSec_Firewall.exe' delete >nul

:start
if not exist temp\sleep.vbs echo wscript.sleep 5500>temp\sleep.vbs
cscript temp\sleep.vbs >nul
for /F "tokens=1,2,3,4,5 delims= " %%a in ('netstat -no^|find /i "ESTABLISHED"') do (
call :file_all %%a %%b %%c %%d %%e
rem 先在日志中寻找这个用应程序的名字,找不到就报警
rem 分析日志中出现这个用应程序的名字的最后一行,如果其最后一个字符不是“放行”就报警,将第7个字符!pid!设为okpid
rem 如果现在的这个用应程序的PID不等于okpid就报警
rem
rem 这些个过滤规则实在是不知道怎么写,当然,这绝对比不上那些专业的防火墙,启发思维而已!!!!
rem
find /i "!Name!" temp\lxz.log>nul&if errorlevel 1 call :all
for /f "tokens=7,10 delims=:" %%a in ('find /i "!Name!" temp\lxz.log') do (
    for /f "tokens=1 delims= " %%i in ("%%a") do set okpid=%%i
    set ok=%%b
    )
if not !pid! == !okpid! call :all
if "!ok!" == "用户取消" call :all
if "!ok!" == "阻止" call :block
)
goto :start

:file_all
set xieyi=%1
set pid=%5
for /F "tokens=1,2 delims=:" %%a in ("%2") do (
      set bip=%%a
      set bd=%%b
    )
    for /F "tokens=1,2 delims=:" %%i in ("%3") do (
      set yip=%%i
      set yd=%%j
    )
for /F "skip=1 usebackq tokens=1,2 delims= " %%x in (`"wmic process where ProcessId='%5' get name 2>nul"`) do set "Name=%%x"
goto :eof

:all
ipseccmd -p "!Name!-!xieyi!-!bd!-!yd!-!yip!-!PID!" -r "BLOCK other !Name!-!xieyi!-!bd!" -f "!yip!"+0:"!bd!":"!xieyi!" -n BLOCK -w reg -x >nul 2>nul
gpupdate>nul
echo set os = CreateoBject^("wscript.shell"^)>>temp\lxz.vbs
echo a=msgbox^("本机IP:!bip! 本地端口:!bd!  远程IP:!yip! 远程端口:!yd!  进程PID:!PID!,是否允许?",3,"应用程序!Name!试图以!xieyi!协议访问网络!"^)>>temp\lxz.vbs
echo if a=6 then>>temp\lxz.vbs
echo os.run "cmd.exe /c echo y>temp\lxz.txt",0,true>>temp\lxz.vbs
echo else if a=7 then>>temp\lxz.vbs
echo os.run "cmd.exe /c echo n>temp\lxz.txt",0,true>>temp\lxz.vbs
echo else if a=2 then>>temp\lxz.vbs
echo os.run "cmd.exe /c echo a>temp\lxz.txt",0,true>>temp\lxz.vbs
echo end if>>temp\lxz.vbs
echo end if>>temp\lxz.vbs
echo end if>>temp\lxz.vbs
call temp\lxz.vbs
del temp\lxz.vbs /q               
set /p xuan=<temp\lxz.txt           
if /i "!xuan!" == "y" (
    del temp\lxz.txt /q
    ipseccmd -p "!Name!-!xieyi!-!bd!-!yd!-!yip!-!PID!" -w reg -y -o
    ipseccmd -p "!Name!-!xieyi!-!bd!-!yd!-!yip!-!PID!" -r "BLOCK other !Name!-!xieyi!-!bd!" -f "!yip!"+0:"!bd!":"!xieyi!" -n PASS -w reg -x
    echo %date:~0,10% %time:~0,5%  本机IP:!bip! 本地端口:!bd!  远程IP:!yip! 远程端口:!yd!  进程PID:!PID!  应用程序:!Name!  协议:!xieyi!  策略:放行>>temp\lxz.log
    gpupdate>nul
       ) else (
          if /i "!xuan!" == "n" (
             del temp\lxz.txt /q
             for /f "tokens=1 delims= " %%a in ('ipseckill -l ^|find /i "!bd!"') do ipseckill -k %%a
             echo %date:~0,10% %time:~0,5%  本机IP:!bip! 本地端口:!bd!  远程IP:!yip! 远程端口:!yd!  进程PID:!PID!  应用程序:!Name!  协议:!xieyi!  策略:阻止>>temp\lxz.log
             gpupdate>nul
                 ) else (
                     if /i "!xuan!" == "a" (
                          del temp\lxz.txt /q
                          ipseccmd -p "!Name!-!xieyi!-!bd!-!yd!-!yip!-!PID!" -w reg -y -o
                          echo %date:~0,10% %time:~0,5%  本机IP:!bip! 本地端口:!bd!  远程IP:!yip! 远程端口:!yd!  进程PID:!PID!  应用程序:!Name!  协议:!xieyi!  策略:用户取消>>temp\lxz.log
                          gpupdate>nul
                 )
        )
)
goto :start

:block
for /f "tokens=1 delims= " %%a in ('ipseckill -l ^|find /i "!bd!"') do ipseckill -k %%a
ipseccmd -p "!Name!-!xieyi!-!bd!-!yd!-!yip!-!PID!" -r "BLOCK other !Name!-!xieyi!-!bd!" -f "!yip!"+0:"!bd!":"!xieyi!" -n BLOCK -w reg -x >nul 2>nul
goto :eof




rem 两个exe文件:ipseccmd.exe、ipseckill.exe怎么上传不了??????
一个是用来配置IPSec策略的,一个是用来杀指定连接的