How to block all but a specific list of IP addresses on a given port using IPSEC on Windows?

2.1k views Asked by At

I have a list of IP addresses.

L={x.x.x.x,y.y.y.y,...etc}

I want to block all IP addresses except for the ones in the above list.

How to do using IPSEC commands in windows machine?

I tried to figure out from the following Microsoft link. But no luck :-(

Example:

My target: Block all ips on 198.18.84.161:80 except for the IP 198.18.84.162

I tried the following.

1) To block all ips on port 80.

Steps:

netsh ipsec static add filterlist name=filterlist_198.18.84.161

netsh ipsec static add filter filterlist=filterlist_198.18.84.161 srcaddr=any dstaddr=Me protocol=tcp srcport=0 dstport=80

netsh ipsec static add filteraction name=action_198.18.84.161 action=block

netsh ipsec static add policy name=policy_198.18.84.161 assign=yes

netsh ipsec static add rule name=rule_198.18.84.161 policy=policy_198.18.84.161 filterlist=filterlist_198.18.84.161 filteraction=action_198.18.84.161

Result: It blocked all ips on port 80

2) To Allow IP 198.18.84.162 on port 80 of the machine 198.18.84.161

Steps:

netsh ipsec static add filterlist name=filterlist_198.18.84.162

netsh ipsec static add filter filterlist=filterlist_198.18.84.162 srcaddr=198.18.84.162 dstaddr=Me protocol=tcp srcport=0 dstport=80

netsh ipsec static add filteraction name=action_198.18.84.162 action=permit

netsh ipsec static add policy name=policy_198.18.84.162 assign=yes

netsh ipsec static add rule name=rule_198.18.84.162 policy=policy_198.18.84.162 filterlist=filterlist_198.18.84.162 filteraction=action_198.18.84.162

Result: This unblocked all IPs on port 80 instead of only unblocking 198.18.84.162

1

There are 1 answers

0
Aditya On

I found the answer myself.

Below are the steps:

1.Block all Ips on Port 80

netsh ipsec static add filterlist name=filterlist_198.18.84.161

netsh ipsec static add filter filterlist=filterlist_198.18.84.161 srcaddr=any dstaddr=Me protocol=tcp srcport=0 dstport=80

netsh ipsec static add filteraction name=action_198.18.84.161 action=block

netsh ipsec static add policy name=policy_198.18.84.161 assign=yes

netsh ipsec static add rule name=rule_198.18.84.161 policy=policy_198.18.84.161 filterlist=filterlist_198.18.84.161 filteraction=action_198.18.84.161

2.Allow specfic Ip on port 80.

netsh ipsec static add filterlist name=filterlist_198.18.84.162

netsh ipsec static add filter filterlist=filterlist_198.18.84.162 srcaddr=198.18.84.162 dstaddr=Me protocol=tcp srcport=0 dstport=80

netsh ipsec static add filteraction name=action_198.18.84.162 action=permit

netsh ipsec static add rule name=rule_198.18.84.162 policy=policy_198.18.84.161 filterlist=filterlist_198.18.84.162 filteraction=action_198.18.84.162

The trick was use same policy for both the rules above.