I have a list of IP addresses.
L={x.x.x.x,y.y.y.y,...etc}
I want to block all IP addresses except for the ones in the above list.
How to do using IPSEC commands in windows machine?
I tried to figure out from the following Microsoft link. But no luck :-(
Example:
My target: Block all ips on 198.18.84.161:80 except for the IP 198.18.84.162
I tried the following.
1) To block all ips on port 80.
Steps:
netsh ipsec static add filterlist name=filterlist_198.18.84.161
netsh ipsec static add filter filterlist=filterlist_198.18.84.161 srcaddr=any dstaddr=Me protocol=tcp srcport=0 dstport=80
netsh ipsec static add filteraction name=action_198.18.84.161 action=block
netsh ipsec static add policy name=policy_198.18.84.161 assign=yes
netsh ipsec static add rule name=rule_198.18.84.161 policy=policy_198.18.84.161 filterlist=filterlist_198.18.84.161 filteraction=action_198.18.84.161
Result: It blocked all ips on port 80
2) To Allow IP 198.18.84.162 on port 80 of the machine 198.18.84.161
Steps:
netsh ipsec static add filterlist name=filterlist_198.18.84.162
netsh ipsec static add filter filterlist=filterlist_198.18.84.162 srcaddr=198.18.84.162 dstaddr=Me protocol=tcp srcport=0 dstport=80
netsh ipsec static add filteraction name=action_198.18.84.162 action=permit
netsh ipsec static add policy name=policy_198.18.84.162 assign=yes
netsh ipsec static add rule name=rule_198.18.84.162 policy=policy_198.18.84.162 filterlist=filterlist_198.18.84.162 filteraction=action_198.18.84.162
Result: This unblocked all IPs on port 80 instead of only unblocking 198.18.84.162
I found the answer myself.
Below are the steps:
1.Block all Ips on Port 80
netsh ipsec static add filterlist name=filterlist_198.18.84.161
netsh ipsec static add filter filterlist=filterlist_198.18.84.161 srcaddr=any dstaddr=Me protocol=tcp srcport=0 dstport=80
netsh ipsec static add filteraction name=action_198.18.84.161 action=block
netsh ipsec static add policy name=policy_198.18.84.161 assign=yes
netsh ipsec static add rule name=rule_198.18.84.161 policy=policy_198.18.84.161 filterlist=filterlist_198.18.84.161 filteraction=action_198.18.84.161
2.Allow specfic Ip on port 80.
netsh ipsec static add filterlist name=filterlist_198.18.84.162
netsh ipsec static add filter filterlist=filterlist_198.18.84.162 srcaddr=198.18.84.162 dstaddr=Me protocol=tcp srcport=0 dstport=80
netsh ipsec static add filteraction name=action_198.18.84.162 action=permit
netsh ipsec static add rule name=rule_198.18.84.162 policy=policy_198.18.84.161 filterlist=filterlist_198.18.84.162 filteraction=action_198.18.84.162
The trick was use same policy for both the rules above.