Hyper-v安全组
标签搜索
侧边栏壁纸
  • 累计撰写 16 篇文章
  • 累计收到 0 条评论

Hyper-v安全组

ranyuan
2024-10-28 / 0 评论 / 40 阅读 / 正在检测是否收录...
# 定义虚拟机名称
$vmName = "kvm11599"

# 添加新的 ACL 规则
# Inbound Allow ICMP
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 1 -Weight 504 -Stateful $false
Write-Host "已添加 Inbound Allow ICMP 规则"

# Outbound Deny all
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Deny -LocalIPAddress '*' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 501 -Stateful $false
Write-Host "已添加 Outbound Deny all 规则"

# Outbound Allow all
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 504 -Stateful $false
Write-Host "已添加 Outbound Allow all 规则"

# Outbound Allow TCP
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'TCP' -Weight 1 -Stateful $false
Write-Host "已添加 Outbound Allow TCP 规则"

# Inbound Allow TCP
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'TCP' -Weight 1 -Stateful $false
Write-Host "已添加 Inbound Allow all 规则"

# Outbound Allow all (Weight 503)
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 503 -Stateful $false
Write-Host "已添加 Outbound Allow all (Weight 503) 规则"

# Inbound Deny all
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Deny -LocalIPAddress '*' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 501 -Stateful $false
Write-Host "已添加 Inbound Deny all 规则"
#Inbound TCP 22
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort '22' -RemotePort 'ANY' -Protocol 'TCP' -Weight 502 -Stateful $false
Write-Host "已添加 Inbound 22 TCP 规则"
#Inbound UPD 53
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress '10.15.12.35' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort '53' -Protocol 'UDP' -Weight 505 -Stateful $false
Write-Host "所有 ACL 规则已成功更新。"

因为单项acl策略
以22端口为例需要设置 同入方向的 远程端口和本地端口才能保证能ssh进去 也能ssh别的机器
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort '22' -RemotePort 'ANY' -Protocol 'TCP' -Weight 510 -Stateful $false

Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort '22' -Protocol 'TCP' -Weight 510 -Stateful $false

资料来源 微软hyper-v acl

0

评论 (0)

取消