SpamButcher is a powerful anti-spam program that can stop over 97% of unwanted email.
Free Anti-Spam Download - Click Here!
How to Block all Email / Traffic from a Given Country using IPSEC (Windows Server 2003 and XP)
This page provides a hypothetical how-to on blocking internet traffic from certain countries in Windows XP or Windows Server 2003. It will probably also work for Windows 2000 with some syntax changes.
This may prove of use to email (Exchange Server) or web server administrators looking to
block spam or reduce the amount of other unwanted traffic they get. There of course may be other, smarter / safer ways of accomplishing this.
This page may also prove useful for anyone looking to implement a large number of rules for blocking network traffic on a Windows system.
Linux administrators can find a similar set of instructions here.
Disclaimers (please read):
SpamButcher in no way advocates actually making the configuration changes below. Blocking access from various countries may have unintended consequences such as rejecting critical email.
While we've verified the instructions in this document seem to work - they have not been tested on a "production server."
It seems probable that Microsoft never tested IPSEC with as large a number of rules as described in this document. There is a very real chance that following these steps might cause performance or stability problems. If you don't have at least a few years experience as a system administrator - you should probably stop reading now. Proceed at your own risk!
SpamButcher makes no warranties about the content of this document and any related files or their suitability for any purpose.
1. Make sure the IPSEC Services are running
2. Get the "ipseccmd" tool
On the surface there doesn't appear to be an easy way in Windows to implement a large number of firewall rules. However, a little research reveals the IPSEC service in Windows is in truth quite configurable - you just need to use the right tool.
Windows XP users can get ipseccmd as part of the Windows XP SP2 Tools. Be sure to do a "full" install.
Windows Server 2003 users will need to perform the same installation (yes, on a Windows XP system) to obtain the tool - and then copy it over to the server. The only actual file needed is C:\PROGRAM FILES\SUPPORT TOOLS\ipseccmd.exe
Microsoft has confirmed that ipseccmd works under Windows Server 2003.
Some more experienced Windows system administrators may ask "why don't you use Windows Server 2003's netsh command to configure IPSEC?" Well, because it's a complete and total pain to use - that's why.
3. Determine what countries you want to block traffic from
Don't take this lightly. In addition to stopping spam email
- you may eliminate some email you in fact need to get. It's sometimes difficult to anticipate which parts of the world your company may do business with in the near future. You may even depend on existing services that are provided by companies overseas without knowing it.
This batch file contains an example of what a script to block most networks located in Korea, China and Russia might look like.
SpamButcher does not recommend running this script, and takes no responsibility for what effect it may have on your system if you should.
If you should decide to start with the above file as an example, you can skip to step 6.
4. Figure out what networks belong to those countries
Blackholes.us has a pretty good geolocation database, and is used in the example below. Software77.net's geolocation database seems more complete, but is a little trickier to use.
Figure out which countries you want to ignore traffic from - and place their networks into a file.
$DATASET ip4set zx @
188.8.131.52:127.0.0.2:Republic of Zaxxon
184.108.40.206/15 (from here on down are the actual networks)
5. Create a batch file
Your batch file will need to look like this:
ipseccmd -f [220.127.116.11/255.254.0.0=*]
ipseccmd -f [18.104.22.168/255.254.0.0=*]
ipseccmd -f [22.214.171.124/255.254.0.0=*]
ipseccmd -f [126.96.36.199/255.254.0.0=*]
ipseccmd -f [188.8.131.52/255.254.0.0=*]
Minor complication - the addresses from the database use "CIDR" style notation. Ipseccmd isn't quite smart enough to understand this. You'll need to convert all those /15's and /18's to "subnet masks."
For example "184.108.40.206/15" is the same as saying "220.127.116.11/255.254.0.0"
You may want to ignore any networks ending with "/21" to "/24." These networks are small enough where not blocking them won't allow a significant amount of unwanted traffic through. However, skipping them will save time creating your script and reduce the total number filters IPSEC will have to process.
This page provides a cheat sheet of CIDR's / subnet masks. If you're creative - you can probably use the search and replace feature of a spreadsheet application to get things looking how you need in about 10 minutes.
Save out your batch file under a logical name like "countryblock.bat." If you're doing a number of countries - you may want to break them up for testing.
6. Test the batch file
If your script throws a few errors - it may not be cause for concern. When I was testing - I found what appeared to be a handful of invalid networks in the database. Hunting them down may not be worth the effort.
On the other hand - there certainly could be errors in the database that would block traffic from unintended regions. Again, this entire process does pose some risk.
The filters this script loads are "dynamic" - in that they are temporary. If you restart your system - they should not persist.
After running the script - this command should show you your newly defined filters:
ipseccmd show filters
The following command will clear the filters you just defined:
7. Use Task Scheduler to run the batch file on startup
In Windows Server 2003 and XP you can easily schedule a task to "Run at System Startup" using the "Scheduled Tasks" Control Panel applet.
Make sure ipseccmd.exe is either in the same folder as your batch file, or otherwise in the system path.
In my testing, I configured the task to run as an account with administrative privileges. Running as "system" may or may not work.
I've observed the first rule will sometimes fail to load if the IPSEC service is still starting when the batch file runs. There's probably an elegant solution for this, but I'm not aware what it is.
One possible work-around would be to define the first rule twice. Alternately, it may not be worth worrying about since your entire rule set is likely hundreds of lines long. Missing a single entry probably won't allow a significant amount of unwanted traffic through.