如何使用命令行阻止 Windows 防火墙中除一个 IP 之外的所有流量

如何使用命令行阻止 Windows 防火墙中除一个 IP 之外的所有流量

我有一个项目,为此我只需要允许来自某个子网的连接,其他一切都必须放弃。问题是这一切都将自动化,没有用户交互,因此其他显示如何在 Windows 中使用 GUI 的答案都不好。我有一个运行 Windows shell 命令(netsh advfirewall...)的 Python 脚本,它可以制定我想要的所有规则,但是如果我添加一个阻止所有规则,它会覆盖我所有的允许规则。我尝试将它添加到规则列表的第一个和最后一个,我不确定我做错了什么。附件是我的命令/规则

import subprocess

#allow connections over port 80 and 443 tcp
subprocess.call('netsh advfirewall firewall add rule name="allow port 80 tcp in" dir=in localport=80 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 80 tcp out" dir=out localport=80 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 443 tcp in" dir=in localport=443 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 443 tcp out" dir=out localport=443 protocol=tcp action=allow', shell=True)

#allow icmt v4/v6 in/out
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv4 in" dir=in protocol=icmpv4 action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv6 in" dir=in protocol=icmpv6 action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv4 out" dir=out protocol=icmpv4 action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv6 out" dir=out protocol=icmpv4 action=allow', shell=True)

#allow ssh (port 20) via specific subnets
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 in" dir=in localport=20 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 in" dir=in localport=20 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 in" dir=in localport=20 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 20 out" dir=out localport=20 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 out" dir=out localport=20 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 out" dir=out localport=20 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

#allow rdp (port 3389) via specific subnets

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in tcp" dir=in localport=3389 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in tcp" dir=in localport=3389 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in tcp" dir=in localport=3389 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out tcp" dir=out localport=3389 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out tcp" dir=out localport=3389 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out tcp" dir=out localport=3389 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in udp" dir=in localport=3389 remoteip =10.0.0.0/8 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in udp" dir=in localport=3389 remoteip =192.168.0.0/16 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in udp" dir=in localport=3389 remoteip =172.0.0.0/8 protocol=udp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out udp" dir=out localport=3389 remoteip =10.0.0.0/8 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out udp" dir=out localport=3389 remoteip =192.168.0.0/16 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out udp" dir=out localport=3389 remoteip =172.0.0.0/8 protocol=udp action=allow', shell=True)

#Block all connections
subprocess.call('netsh advfirewall firewall add rule name="block all inbound" dir=in protocol=any action=block', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="block all outbound" dir=out protocol=any action=block', shell=True)

答案1

因此,我继续进行研究,发现我最初忽略了一件事,那就是阻止注释优先于其他所有内容 - 无论它们放在哪里。实现我想要的唯一方法是将 Windows 防火墙设置为默认阻止所有内容,然后设置允许规则。要使用 netsh 执行此操作,您需要执行以下操作:

netsh advfirewall set allprofiles firewallpolicy blockinbound

您还可以通过添加逗号来阻止出站,并通过将 block 更改为 allow 来允许。

相关内容