4

am using the following scrip to block ip's from a text file into the windows firewall.

I'm using windows 2008 R2

    @echo off
if "%1"=="list" (
  netsh advfirewall firewall show rule Blockit | findstr RemoteIP
  exit/b
)

:: Deleting existing block on ips
netsh advfirewall firewall delete rule name="Blockit"

:: Block new ips (while reading them from blockit.txt)
for /f %%i in (blockit.txt) do (
  netsh advfirewall firewall add rule name="Blockit" protocol=any dir=in action=block remoteip=%%i
  netsh advfirewall firewall add rule name="Blockit" protocol=any dir=out action=block remoteip=%%i
)

:: call this batch again with list to show the blocked IPs
call %0 list

The problem is, this script is creating 1 separate rule for each blocked IP.

Is there any way to create less rules with multiple ips banned on the same rule? As far as I remember each rule has a maximum of 200 allowed banned ips. So when ip number 201 is found it should create a new rule. This way if we have 1000 ips to block it will create just 5 rules x 200 ip per rule instead of 1000 rules.

Hopefully someone can help me. Thank you

Chris
  • 97
  • 2
  • 8

2 Answers2

3

Look at the "Caveats & Legal Disclaimers" section on http://cyber-defense.sans.org/blog/2011/10/25/windows-firewall-script-block-addresses-network-ranges and then look at how their Import-Firewall-Blocklist.ps1 script works.

DTK
  • 1,688
  • 10
  • 15
  • I'm not an expert on this at all unfortunately so if someone could help me with a modification to my batch script that would be awsome. – Chris Dec 19 '14 at 23:39
  • The script they show does not require expert level knowledge. Your general cry for "fix my batch script" may be seen by some on these boards as lazy and demanding. What you are trying to do can be more eazily accomplish in PowerShell, and is what the example script that they gave is written in. – DTK Dec 25 '14 at 14:11
  • The link you posted was very useful. It highlights issues with Windows Firewall if you overload it with rules. I am planning on using the referenced script near term, but am going to shop around for a software product that does not exhibit the Windows issues, assuming one exists. – Highdown Jan 10 '18 at 19:53
1

For the simple case of < 200 IPs you first need to iterate through the file and get all the IP addresses into a single string. Then you can call the netsh command twice outside the loop (once for inbound traffic and once for outbound).

In order to allow it to cope with more than 200 IPs I've added a counter into the for loop. Once you exceed 200 IPs it will call the netsh command and reset the IP counter before continuing to loop through the file. The end result should be that you end up with a series of rules in the format "Blockitn", where n is a number.

The one section I'm unsure on is the list and delete directives at the top. In order to get these to work properly the script needs to know how many relevant 'Blockit' rules exist. The best I could come up with is to list these and pass the results through a findstr in a for loop. I'm not sure that it's working quite right though. I'll keep working on it, but thought I would post this now as it's almost there - and hopefully you might be able to figure the last bit out :)

Note the addition of the enabledelayedexpansion directive near the top - this lets us use !VAR! style variables which won't be expanded during initialisation; only on execution. Otherwise the final IPADDR variable will just contain the last IP in the text file.

@echo off
setlocal enabledelayedexpansion
if "%1"=="list" (
  SET /A RULECOUNT=0
  for /f %%i in ('netsh advfirewall firewall show rule name^=all ^| findstr Blockit') do (
    SET /A RULECOUNT+=1
    netsh advfirewall firewall show rule Blockit!RULECOUNT! | findstr RemoteIP
  )
  SET "RULECOUNT="
  exit/b
)

REM Deleting existing block on ips
SET /A RULECOUNT=0
for /f %%i in ('netsh advfirewall firewall show rule name^=all ^| findstr Blockit') do (
  SET /A RULECOUNT+=1
  netsh advfirewall firewall delete rule name="Blockit!RULECOUNT!"
)
SET "RULECOUNT="

REM Block new ips (while reading them from blockit.txt)
SET /A IPCOUNT=0
SET /A BLOCKCOUNT=1
for /f %%i in (blockit.txt) do (
  SET /A IPCOUNT+=1
  if !IPCOUNT! == 201 (
    netsh advfirewall firewall add rule name="Blockit!BLOCKCOUNT!" protocol=any dir=in action=block remoteip=!IPADDR!
    netsh advfirewall firewall add rule name="Blockit!BLOCKCOUNT!" protocol=any dir=out action=block remoteip=!IPADDR!
    SET /A BLOCKCOUNT+=1
    SET /A IPCOUNT=1
    set IPADDR=%%i
  ) else (
    if not "!IPADDR!" == "" (  
      set IPADDR=!IPADDR!,%%i
    ) else (
      set IPADDR=%%i
    )
  )
)

REM add the final block of IPs of length less than 200
netsh advfirewall firewall add rule name="Blockit!BLOCKCOUNT!" protocol=any dir=in action=block remoteip=!IPADDR!
netsh advfirewall firewall add rule name="Blockit!BLOCKCOUNT!" protocol=any dir=out action=block remoteip=!IPADDR!

SET "IPCOUNT="
SET "BLOCKCOUNT="
SET "IPADDR="

REM call this batch again with list to show the blocked IPs
call %0 list

As an aside, if it were me I would probably look to learn Powershell for this sort of thing (or indeed any scripting on a semi-modern Microsoft platform). Once you get the hang of it you'll find it's far far more intuitive than batch files.

(P.S. - For any batch file experts reading this, feel free to suggest a better alternative - I'm no expert myself!)

Steve365
  • 1,253
  • 9
  • 16
  • Thank you so much, Steve. Tried your first unmodified version and works like a charm if my ip's lists has <500 ips (seems this is the windows firewall limit per rule). If it has more than 500 ips the .bat file window just closes without executing correctly. – Chris Dec 20 '14 at 20:42
  • I have tried your edited version of the script from few minutes ago but something is not working right. When I run the .bat it simply closes the next second without executing any command. Thank you again for your effort and the fact that you're spending time on helping me. – Chris Dec 20 '14 at 20:43
  • Managed to get a printscreen of the error of your current version http://prntscr.com/5j2lvf – Chris Dec 20 '14 at 20:48
  • Ahh, I had a typo in the first two for loops - needs a space between 'in' and '(' - have edited it for you – Steve365 Dec 20 '14 at 21:06
  • Thanks a lot for your help, Steve. It works exactly as I needed. – Chris Dec 20 '14 at 21:21
  • Excellent, I'm glad it worked. Did the list and delete sections work as intended also? P.S. - If so, feel free to mark it as the right answer :) – Steve365 Dec 20 '14 at 21:33
  • The delete seems not to work. If I re-run the .bat file, new set of rules will be added with a duplicate name as the ones before without deleting the old ones first. – Chris Dec 20 '14 at 21:41
  • Yeah, I thought that might happen. The netsh rule lookup isn't doing what I thought it would do. I'm a bit puzzled as to why not right now. I'm going to sleep on it and see if I get some inspiration! – Steve365 Dec 20 '14 at 21:44
  • Ok, try the latest version. This should work now unless I've done something daft. I was missing an escape character before the = sign in the netsh commands. I've also fixed a bug in the section that adds the rules, the previous version would have skipped one IP address for every 201 address in the input file. – Steve365 Dec 20 '14 at 22:18
  • Seems to be working fine now: when running the .bat second time, old rules get deleted and new ones replace them, however I get some errors into the output although the rules are added correctly (checked) but not sure why the errors. Here is a screenshot of the error (my ips list contains about 1000+ ips and they are added one below the other so one ip per line) http://prntscr.com/5j4b57 – Chris Dec 20 '14 at 23:02
  • The errors came from the list bit. I've corrected a typo - didn't need to escape the pipe (|) character in the netsh command as it wasn't inside a for loop. Try again :) – Steve365 Dec 21 '14 at 10:33
  • It's on the right track, no idea why it still gives the following though http://prntscr.com/5jbmll (rules are deleting/creating just fine, no idea if some of the ips are skipped though). Thanks for your time, Steve. – Chris Dec 21 '14 at 15:24
  • That's just because it's deleting rules two at a time, because for each block of 200 the inbound and outbound rules are named the same. So if there are 5 inbound rules and 5 outbound rules (10 total), the loop will go through 10 times, delete two at a time for the first 5 iterations, and then not have any rules left for the final 5 iterations. It's a quirk, but not functionally problematic. – Steve365 Dec 21 '14 at 15:28
  • All good then. Works like a charm and exactly as I wanted it to work. You're great Steve, thanks again for your time and your work. – Chris Dec 21 '14 at 15:50