Cyber Defense

Windows Firewall Script To Block IP Addresses And Country Network Ranges

The host-based Windows Firewall is easily managed through scripts and the NETSH.EXE command-line tool. This article is about a simple PowerShell script which can create rules to block inbound and outbound access to thousands of IP addresses and network ID ranges, such as for attackers and unwanted countries.

To get the script, download the SEC505 zip file here or from the Downloads page, open the zip and look in the "Day5-IPSec" folder for the script named Import-Firewall-Blocklist.ps1 (and the sample BlockList.txt file too). Like all the other scripts in the zip file, this script is free and in the public domain.

The script can also create firewall rules which apply only to certain interface profile types (public, private, domain, any) and/or only to certain interface media types (wireless, ras, lan, any); for example, you might wish to only block packets going through an 802.11 NIC (wireless) but only while not at home or at the office (public). The script is just a convenient wrapper around the built-in NETSH.EXE tool.

Requirements

The script requires PowerShell 1.0 or later.

You must be a member of the local Administrators group.

The script runs on Windows Server 2008, Windows Vista, and later operating systems.

A text file containing addresses to block must be passed into the script as an argument. This file must have one entry per line, each line containing either a single IP address, a network ID using CIDR notation, or an IP address range in the form of StartIP-EndIP, for example, "10.4.0.0-10.4.255.254". Both IPv4 and IPv6 are supported. Blank lines and comment lines are ignored; a comment line is any line that does not begin with a number or hex letter. Even if the input file was originally created for Apache or iptables, it can still be used as long as the formatting is compatible (or made compatible with a bit of scripting).

Note: If you want similar scripts for Windows XP and Server 2003, that same zip file above also contains VBS and BAT scripts that all begin with the word "Firewall_*". Look in the VBScript directory.

Block Countries, Attackers, Spammers and Bogons

You can obtain lists of IP addresses and network ID ranges to block from a variety of sources for a variety of purposes.

Here are a few sources to try:

Note: If you also want to block the resolution of unwanted hostnames in DNS, there is another script for that here.

Examples

To create rules to block all inbound and outbound packets to the IP addresses and CIDR networks listed in a file named iptoblock.txt:

import-firewall-blocklist.ps1 -inputfile iptoblock.txt

To block addresses only on public network interfaces:

import-firewall-blocklist.ps1 -inputfile iptoblock.txt -profiletype public

To block addresses only on wireless network adapter cards:

import-firewall-blocklist.ps1 -inputfile iptoblock.txt -interfacetype wireless

To delete the firewall rules created by the script whose names start with "iptoblock*":

import-firewall-blocklist.ps1 -rulename iptoblock -deleteonly

The script defaults to looking for an input file named "blocklist.txt", so you can also simply create that file in the same directory as the script and then run the script with no arguments:

import-firewall-blocklist.ps1

Note: By default the script will create rules which are named after the input file; for example, with an input file named "Attackers.txt", the script will create rules named like "Attackers-#001". If you wish to override the default rule name, use the -RuleName parameter with the script when both creating and deleting the rules.

Caveats & Legal Disclaimers

For NETSH.EXE compatibility reasons, each firewall rule will contain only 200 IP addresses or network ID ranges; hence, when importing 5000 IP addresses or network ranges to block from a file named "Attackers.txt", the script will create 25 inbound rules and 25 outbound rules, each rule named "Attackers-#001" through "Attackers-#025". Don't worry, the script creates or deletes all of them at once, but do take care to use a unique input file name or a unique -RuleName argument.

Blocking large numbers of IP addresses or network ID ranges (10,000 for example) appears to have relatively little performance impact, but it does take longer to launch or refresh the Windows Firewall MMC snap-in, and it does take longer to disable/enable network interfaces. This testing was done informally, however, so no hard numbers are available. Please do some testing yourself when importing large input files.

The script is free and in the public domain, you may use it for any purpose whatsoever without restriction. However, that being said...

THIS SCRIPT IS PROVIDED "AS IS" WITH NO WARRANTIES OR GUARANTEES OF ANY KIND, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. ALL RISKS OF DAMAGE REMAINS WITH THE USER, EVEN IF THE AUTHOR, SUPPLIER OR DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGE. IF YOUR STATE DOES NOT PERMIT THE COMPLETE LIMITATION OF LIABILITY, THEN DO NOT DOWNLOAD OR USE THE SCRIPT. NO TECHNICAL SUPPORT WILL BE PROVIDED.

Please test the script on non-production servers first, then test on a production server only during off-peak hours and only after having made a full backup.

The SANS Institute hopes you will find the script useful, so best wishes and good luck!

 

24 Comments

Posted November 3, 2011 at 6:59 PM | Permalink | Reply

Joel Cardella

Jason, I took your SEC 505 class in D.C. this year. Thanks very much for the work you're doing! We are currently evaluating these scripts for use in our enterprise. Great stuff here.

Posted February 23, 2012 at 3:53 PM | Permalink | Reply

Kurbycar32

I had a heck of a time getting the script to work. After reverse engineering (and learning a bunch) I found an extra space on line 111, col 46. The space was preventing the blocklist.txt from being formatted properly on import. After fixing the space i was able to use this on Server 2008r2. Thanks for the lesson

Posted February 23, 2012 at 9:55 PM | Permalink | Reply

Jason Fossen

Hi Kurbycar32:
I'm surprised that space character made a difference, it shouldn't have affected the execution in any way, but I'm glad you got it to work and I've removed that space character from the script just in case.
Cheers,
Jason

Posted June 28, 2012 at 7:16 AM | Permalink | Reply

Steven Rasmussen

Greetings,
Im Sooo happy I fell over your article and script on this, was dreading typing up an large block of rules on our Win2008R2 Server. Also others articles and papers are very good from the course it was an part of, although I will admit, that im still an novice in regards with Powershell Scripting, I am learning.
But this script saved me tons of work and time THANK YOU !
''" Steven

Posted July 24, 2012 at 1:07 PM | Permalink | Reply

Juha Jurvanen

Great script. I thought I'd also actually mention a software with a GUI that also does some neat tricks called Syspeace

Posted December 21, 2014 at 1:10 AM | Permalink | Reply

Ken Wilkins

Jason,
I was Simulcasted in from here in West Virginia for your 505 class in D.C.
Great class. I like your instruction style.
I found that the lists that I d/l need a the large comment. Other than that, it works fine.
Great class.

Posted February 19, 2015 at 8:18 PM | Permalink | Reply

Roberto Neigenfind

What about cloud services from USA companies located in Data centers in China. If there some IP address exception by country for that cases?

Posted February 22, 2015 at 2:42 PM | Permalink | Reply

Jason Fossen

Hi Roberto, no such list that I know of, each cloud vendor would probably have to publish a list for just their services and keep them updated too.

Posted March 11, 2015 at 3:30 PM | Permalink | Reply

Carlos Silva

Hi Jason
I would like to block all IPs except one county.
I think the better way to do this is to create a rule to block all IP and create a 2nd rule to unblock a group of IPs
Can you give me some tips how to change you script to unblock IPs ?
Thanks in advance

Posted March 16, 2015 at 2:14 AM | Permalink | Reply

Jason Fossen

Hi Carlos:
It can be done, but there's not a tip per se, it's just editing the script (see the comments in the script, it's in the public domain).
Best Wishes,
Jason

Posted May 31, 2015 at 12:22 PM | Permalink | Reply

Alex

Hello Jason!
I am using your Script since almost one year on Windows 2008 and Windows 2012 servers.
It's really great!
I have never found something similar!
I can block a few countries without problems.
Importing large Countries like USA does work ~450 Firewall Rules (Inbound) but the problem mentioned takes effect.
[Windows Firewall MMC snap-in]
Firewall is not responding sometimes for a long time
(even on a real powerful dedicated server with 32 GB RAM)
So I don't think Carlos will have success if he tries to import all countries except one, to block.
It's too much for the Firewall.
But I am also interested in finding a solution to only whitelist European countries some needed IPs''
So every help would be appreciated!
I tried a few ways to switch the Firewall to whitelist, connect via VNC and import only the whitelisted countries but it doesn't work the way it should.
It's crazy we are living in 2015 and almost no Firewall developer offers services like this.

Posted June 3, 2015 at 11:52 AM | Permalink | Reply

Jason Fossen

Hello Alex:
Yes, the graphical Windows Firewall tool does not handle the loading of large rule sets very well. Unfortunately, we don't have any control over that. The best we can do is try to aggregate as many subnets as possible using CIDR masking, even if this results in accidentally blocking some IPs.
As far as finding just European IP ranges, I don't know of a web site specifically for that, I just have the sites already listed in the blog article.
Good Luck!
J.

Posted June 12, 2015 at 8:11 PM | Permalink | Reply

Nico van Niekerk

Is there an advantage adding several blocked IP addresses within one rule as opposed to creating a separate rule for each block?
I am using syspeace and ruthlessly block IP addresses from anyone who has rapid failed logins in a very small time frame. The reasoning is that if it is an automated log-in, it would have the right credentials. Hand entering credentials can never be done that rapidly, so they are blocked over a larger window with a second rule. Anyone who tries to login as

Posted June 16, 2015 at 10:45 PM | Permalink | Reply

Jason Fossen

Hi Nico:
There is a trade off between performance and total rule count. There is a variable you can edit in the script to change the number of subnets or IPs per firewall rule if you wish, but be careful of adding too many rules, you can get issues with the graphical firewall management tool when you have many hundreds of rules to load and display.
Cheers,
Jason

Posted September 30, 2015 at 1:06 PM | Permalink | Reply

Jonathan

Thanks mate!
This was I'been lookin, really great work on this scripts.
I really appreciate you've shared your knowledge, really awesome script.
I've add all from china from the list http://www.nirsoft.net/countryip/cn.html
and it really works well.
The reason was because I was hacked from china to sql server, trying to get the sa password, wich is disabled, but is anoying watch your logs and see this kind of things:
Date30-09-2015 9:59:32
LogSQL Server (Current ''" 30-09-2015 9:33:00)
Source
Message
Login failed for user ''sa'. Motivo: la contrasea no es vlida para el inicio de sesin proporcionado. [CLIENTE: 222.186.61.10]
Thanks m8!

Posted April 8, 2016 at 11:01 AM | Permalink | Reply

Niels

The script used is not usable on a Server 2008 system. Module NetSecurity is not available for Server 2008.

Posted April 20, 2016 at 5:57 PM | Permalink | Reply

Paul

Sorry to bother you. I downloaded the linked script and could not find the folder or files mentioned?
Has this been changed or removed?
Thanks

Posted April 20, 2016 at 6:45 PM | Permalink | Reply

Jason Fossen

Hi Paul:
I just checked, the script should be in the SEC505 zip file (scripts.zip) under the Zip:\\Day5-IPSec\\Firewall folder.
Cheers,
Jason

Posted June 14, 2016 at 9:15 PM | Permalink | Reply

MikeinNYC

Windows Firewall ''" Love the idea that you can block HACKERS using windows firewall script.
I would like add that I believe Small Website owners can benefit by using a combination of protections like the firewall blocks listed above mandatory for CN RU etc, along with several other simple

Posted August 14, 2016 at 3:24 PM | Permalink | Reply

Mixa

Hello!
Sorry for my English ((
I found your site by accident, and very grateful for this process to automatically add the lock.
But I had a problem, I have a lot of blocked IP addresses and accidentally blocked your server.
He created around 1000 and now rules Firewall snap freezes and does not start. Now I cant unban certain ip addresses, and delete rules.
Please tell me how to be? For example through the Import-Firewall-Blocklist.ps1 I can not delete a rule.
As through this script to remove a lot of rules at once, not just one? Tell me clearly.
I would be grateful for your help! Thank you.

Posted August 14, 2016 at 8:13 PM | Permalink | Reply

Jason Fossen

Hello Mixa:
Unfortunately, the Windows Firewall snap-in does not handle a large number of complex rules very well. First, try to open the Windows Firewall snap-in and let it sit (don't touch it) for 10 minutes. If this fails, use the script or the Remove-NetFirewallRule cmdlet to delete all or some of the rules added. If that fails, run "netsh.exe advfirewall reset ?" to see how to reset the firewall back to the factory default. In general, I wish Microsoft would design their firewall tools to handle large sets of rules better, so we have to work around it as best we can. Best Wishes, J.

Posted August 15, 2016 at 7:15 AM | Permalink | Reply

Mixa

Thank you for your advice but unfortunately did not succeed, because the firewall is completely dependent and did not open at all, and there is no response to the commands.
But I have solved the problem, after 8 hours of torment =))
I went to the registry on the way [HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ Services \\ SharedAccess \\ Parameters \\ FirewallPolicy \\
and manually delete all the rules created by the script, I removed a long time, several hours =)) but it was worth it, snap then start very quickly.
In any case, a great script, but we must be careful =) I have decided to ban an entire network of some countries but banned themselves and their server.
At the moment, I have successfully imported more than 703 rules and casing opens fine, but the creation of about 999 regulations, leads to a complete freeze Windows Firewall.
Perhaps my experience will be useful to someone =)
Thanks again for the Script!

Posted December 16, 2016 at 11:14 AM | Permalink | Reply

dr. neves

First of all, great little script, thank you Jason!
I am just wondering is there is a switch to just create incoming firewall rules, that would significantly lower the number of rules in the firewall '' thank you.

Posted December 18, 2016 at 11:10 PM | Permalink | Reply

Jason Fossen

Hi Dr Neves:
Look in the SEC505 zip file (click on the Downloads link) and then go into the \\Day5-IPSec\\Firewall folder inside the zip; there you'll find more sample scripts to manage the Windows Firewall. Now, for the country blocking script, though, the number of rules created is a trade-off between load performance and the hassle of having too many rules to see. Feel free to edit the $MaxRangesPerRule variable inside that script!
Cheers,
Jason

Post a Comment






Captcha


* Indicates a required field.