Batch script to import IP's to Windows 2008 R2 Firewall

[daredevil]

Does anyone has any good batch script to import IP's to windows 2008 R2 Firewall specific rule? I have set of rules at present... What I would like to do is.. add IP's mentioned in batch file to specific rule in firewall ..

 

This way I can give access to staff to batch file through FTP and web panel access to execute batch file which will add IP's to ban list.

 

Off course, I could google this up but if anyone got idea on how to make this idea work.. then it would save me some time.

[Jopa]

Right-click Inbound Rules and select New Rule. As Figure 1 shows, you can select Program, Port, Predefined, or Custom for the rule type. I typically select Custom, because this option prompts you to enter a scope for the rule. Click Next to continue.

 

In the next dialog box, which Figure 2 shows, you can specify a program or services that the rule will match. In my example, I selected All programs so that traffic will be controlled by the port number.

 

As Figure 3 shows, I then selected TCP for the protocol type, and I selected Specific Ports from the Local port drop-down menu and specified port 1433, which is the default port for SQL Server. Because remote ports are dynamic, I selected All Ports.

 

In the Scope dialog box, which Figure 4 shows, I specified the local IP address of 192.168.1.11 and the remote IP address of 192.168.1.10, which is the IP address of my organization's SharePoint front-end server. I strongly recommend specifying a scope with every rule, in case the server is accidentally exposed to unwanted subnets.

 

Finally, use a descriptive name for the rule, specifying the allowed service, scope, and ports, as Figure 7 shows. Using a descriptive name makes it easier to identify what a rule does. Click Finish to create the new inbound rule.

 

Configuring Windows Firewall Rule

 

 

Maybe this will help you if something is not clear how or need some explanations please shoot ok

Edited February 26, 2013 by Jopa

[daredevil]

I already know how to create firewall rules

 

I specifically asked for "Batch" script.

[Jopa]

I put together the following script to create Windows firewall rules to open ports for SCOM on Windows 2008 R2. Since SCOM requires UDP port 5723 & TCP port 5723 for communication (which it doesn’t open automatically), opening them manually is necessary.

 

This script is based on code from MSDN Sample Code

 

On Error GoTo 0

 

'Set Constants

Const NET_FW_IP_PROTOCOL_UDP = 17

Const NET_FW_IP_PROTOCOL_TCP = 6

 

Const NET_FW_SCOPE_ALL = 0

Const NET_FW_SCOPE_LOCAL_SUBNET = 1

 

'Declare variables

Dim errornum

 

' Create the firewall manager object.

Dim fwMgr

Set fwMgr = CreateObject("HNetCfg.FwMgr")

 

' Get the current profile for the local firewall policy.

Dim profile

Set profile = fwMgr.LocalPolicy.CurrentProfile

 

Dim port

Set port = CreateObject("HNetCfg.FWOpenPort")

 

port.Name = "HTTP"

port.Protocol = NET_FW_IP_PROTOCOL_TCP

port.Port = 80

 

'If using Scope, don't use RemoteAddresses

port.Scope = NET_FW_SCOPE_ALL

'Use this line to scope the port to Local Subnet only

'port.Scope = NET_FW_SCOPE_LOCAL_SUBNET

 

port.Enabled = TRUE

'Use this line instead if you want to add the port, but disabled

'port.Enabled = FALSE

 

On Error Resume Next

profile.GloballyOpenPorts.Add port

errornum = Err.Number

 

If errornum <> 0 Then

WScript.Echo("Adding the port failed. Error Number: " & errornum)

End If

 

 

The script code here provides the ability to create multiple Windows firewall rules quickly and easily. Later, I may add code to modify/remove rules.

 

Download file HERE

 

This is it, if not go further

Edited February 26, 2013 by Jopa

[daredevil]

We already have one rule for it in firewall... how do u keep adding IP's in it?

[Jopa]

Bulk import IPs into your Windows Server 2008 R2 Firewall

 

Below there is a line of code the specifies the Local IPs this Firewall rule is supposed to affect.

serverIPs = "yourFirstIP,yourSecondIP,yourThirdIP"

just update this with the actual IPs you want to protect with a comma between each IP.

You can also use blocks( 123.123.123.123/8) and ranges (123.0.0.0-123.255.255.255)

Just be sure to add a comma between each IP / block / range

 

 

Dim objShell

set objShell=CreateObject("Wscript.shell")

 

'########################################################################

' This URL has the IP lists

'########################################################################

 

objURLpre = "http://ipinfodb.com/...y.php?country="

objURLpost = "&output=iptables&filename=blocklist.txt"

 

'########################################################################

'Firewall Rule

'########################################################################

 

rulename = "AllSites HTTP "

 

'########################################################################

'Local IPs to Protect

'list all IPs that you want to protect

' format them as either single IPs, 123.123.123.123

' IP blocks, 123.123.123.123/24

' IP ranges, 123.0.0.0-123.255.255.255

' with a comma separating them

'########################################################################

 

serverIPs = "199.119.176.70-199.119.176.126,199.119.177.2-199.119.177.11,199.119.177.13-199.119.177.28"

 

'########################################################################

'Remote IPs per Rule, Its recommended to keep this at 200

'You can try higher numbers, but the script might error on you

'########################################################################

 

percommand=200

 

'########################################################################

'Zone files to pull from

'If there are countries not listed here, visit ipdeny.com, to add them

'########################################################################

 

Dim arrayzone(22)

arrayzone(0) = "AF" 'Afghanistan

arrayzone(1) = "CN" 'China

arrayzone(2) = "DZ" 'Algeria

arrayzone(3) = "HK" 'Hong Kong

arrayzone(4) = "IN" 'India

arrayzone(5) = "IQ" 'Iraq

arrayzone(6) = "KZ" 'KAZAKHSTAN

arrayzone(7) = "NG" 'Nigeria

arrayzone(8) = "PA" 'Panama

arrayzone(9) = "RU" 'Russia

arrayzone(10) = "RO" 'Romania

arrayzone(11) = "UA" 'Ukraine

arrayzone(12) = "TW" 'Taiwain

arrayzone(13) = "ID" 'Indonesia

arrayzone(14) = "BG" 'Bulgaria

arrayzone(15) = "VN" 'Vietnam

arrayzone(16) = "SK" 'Slovakia

arrayzone(17) = "MD" 'Moldova

arrayzone(18) = "TR" 'Turkey

arrayzone(19) = "PH" 'Philippines

arrayzone(20) = "BR" 'Brazil

arrayzone(21) = "LV" 'Latvia

 

For each URL in arrayzone

 

'########################################################################

'Get IPs from the current zone

'########################################################################

 

Set objHTTP = CreateObject("Msxml2.XMLHTTP")

objHTTP.open "GET", objURLpre & url & objURLpost, False

objHTTP.send

 

HTTPstatus = objHTTP.Status

 

If HTTPstatus= "200" Then

 

GetHTML = objHTTP.responseText

 

'########################################################################

'Delete previous firewall rules with the same name

'########################################################################

 

netshCommand = "NETSH advfirewall firewall delete rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34)

errorcode = objShell.Run(netshCommand, 1, true)

 

'########################################################################

'wscript.echo errorcode 0 = good / 1 = bad

'########################################################################

 

current = 0

iplist = ""

 

iparray=Split(GetHTML, chr(10))

 

For each ip in iparray

 

If current = 0 Then

iplist = ip

current = 1

Else

iplist = iplist & "," &ip

current = current + 1

End If

 

'########################################################################

'If we have reached our limit then push the rule to the firewall

'########################################################################

 

if current = percommand Then

netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=In action=Block Enable=yes profile=public,private,domain localip=" & serverIPs & " remoteip=" & ipList & " protocol=tcp"

errorcode = objShell.Run(netshCommand, 1, true)

current = 0

iplist = ""

End If

 

Next

 

'########################################################################

'Add any left over IPs

'########################################################################

 

if current > 0 Then

netshCommand = "NETSH advfirewall firewall add rule name=" & chr(34) & rulename & " " & url & " Block" & chr(34) & " dir=In action=Block Enable=yes profile=public,private,domain localip=" & serverIPs & " remoteip=" & ipList & " protocol=tcp"

errorcode = objShell.Run(netshCommand, 1, true)

End if

 

 

Else

wscript.echo "ERROR GETTING TO URL: " & URL

End If

 

Next

 

wscript.echo "done"

Edited February 26, 2013 by Jopa

[daredevil]

None of this actually answered my question.

[Jopa]

Adding IPs Quickly to a Windows Server

 

 

Adding a single IP to a windows server is simple enough but when you need to add say 16 IPs, the process can become tedious. Below is a command you can run from the command line to add IPs quickly to a Windows server. The command could easily be used in a batch script to add hundreds of IPs if necessary. The below command adds the IP address of 192.168.1.2 with the netmask of 255.255.255.0 to the “Local Area Connection” interface:

 

 

 

 

1

 

netsh interface <span class="search_hit">ip</span> add address "Local Area Connection" 192.168.1.2 255.255.255.0

If you wanted to add a range say from 192.168.1.2 through 192.168.1.254 you could do:

 

 

 

 

2

 

<span class="search_hit">FOR</span> /L %I <span class="search_hit">IN</span> (2,1,254) DO netsh interface <span class="search_hit">ip</span> add address "Local Area Connection" 192.168.1.%I 255.255.255.0

 

 

This has been tested and works in all versions of Windows Server 2000, 2003, and 2008.

 

I'm persistent

Edited February 26, 2013 by Jopa

[daredevil]

It still doesn't answer my question That command line is old and it doesn't add the IP under specific firewall rule

[Jopa]

I was on hard data these, more recently, but I can find no way, I'm so an evil, it's just I do not have a surplus of server to testI would have to destroy the existing.

 

Have you tried

 

 

Batch adding multiple ip addresses to Windows server with netsh?