# 定义虚拟机名称
$vmName = "kvm11599"
# 添加新的 ACL 规则
# Inbound Allow ICMP
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 1 -Weight 504 -Stateful $false
Write-Host "已添加 Inbound Allow ICMP 规则"
# Outbound Deny all
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Deny -LocalIPAddress '*' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 501 -Stateful $false
Write-Host "已添加 Outbound Deny all 规则"
# Outbound Allow all
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 504 -Stateful $false
Write-Host "已添加 Outbound Allow all 规则"
# Outbound Allow TCP
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'TCP' -Weight 1 -Stateful $false
Write-Host "已添加 Outbound Allow TCP 规则"
# Inbound Allow TCP
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'TCP' -Weight 1 -Stateful $false
Write-Host "已添加 Inbound Allow all 规则"
# Outbound Allow all (Weight 503)
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Outbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 503 -Stateful $false
Write-Host "已添加 Outbound Allow all (Weight 503) 规则"
# Inbound Deny all
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Deny -LocalIPAddress '*' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort 'ANY' -Protocol 'ANY' -Weight 501 -Stateful $false
Write-Host "已添加 Inbound Deny all 规则"
#Inbound TCP 22
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort '22' -RemotePort 'ANY' -Protocol 'TCP' -Weight 502 -Stateful $false
Write-Host "已添加 Inbound 22 TCP 规则"
#Inbound UPD 53
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress '10.15.12.35' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort '53' -Protocol 'UDP' -Weight 505 -Stateful $false
Write-Host "所有 ACL 规则已成功更新。"
因为单项acl策略
以22端口为例需要设置 同入方向的 远程端口和本地端口才能保证能ssh进去 也能ssh别的机器
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort '22' -RemotePort 'ANY' -Protocol 'TCP' -Weight 510 -Stateful $false
Add-VMNetworkAdapterExtendedAcl -VMName $vmName -Direction Inbound -Action Allow -LocalIPAddress 'ANY' -RemoteIPAddress 'ANY' -LocalPort 'ANY' -RemotePort '22' -Protocol 'TCP' -Weight 510 -Stateful $false
资料来源 微软hyper-v acl
评论 (0)