How to block external IP addresses by time in IIS 7.5?

A

Andrey Kamynin2020-03-02 09:09:02

PowerShell

Andrey Kamynin, 2020-03-02 09:09:02

Hello!
Please tell me if there are any tools with which you can solve the problem of blocking external ip addresses in IIS 7.5 in a regular manner in a certain period of time.
So far I see the way to create a task through RequestFiltering / Rules or IP addresses and Domain Restriction (it is possible to specify an ip pool to block). But I can't find a solution for time binding.
For example, does PowerShell have methods for accessing the RequestFiltering/Rules snap-in? Then simply through a sheduler would connect the schedule.
(perhaps the chosen path is fundamentally wrong / suboptimal, so I will be grateful for valuable advice).
Thank you for your attention!
UPD: Many thanks for the advice, I had to listen but look for another solution, because. there are several sites on the host, and I'm not sure that I can correctly solve the problem using WinFirewall. IIS should respond to queries in the future (I don't know how yet).
But the current solution looks like a trace. way for a specific site:

# Добавляем блок. правило разрешающее доступ для сети 10.0.0.0/8
Add-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location "test-web" -Name "." -Value @{ipAddress="10.0.0.0";allowed="true";subnetMask="8"} -ErrorAction Stop
# Запрещаем все, что не разрешено
Set-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -Name allowUnlisted -Value False -Location "IIS:\Sites\test-web"
# Дебаг/проверка отработки правила (ждем после применения 5 мин., далее откат)
Wait-Event -Timeout 300
# Удаление разр. правила
Remove-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -PSPath "IIS:\" -Location "test-web" -Name "."
# Смена настройки на разрешено все, что не запрещено.
Set-WebConfigurationProperty -Filter 'system.webServer/security/ipSecurity' -Name allowUnlisted -Value True -Location "IIS:\Sites\test-web"

Clarification: we use the configuration: IP addresses and Domain Restriction, it is necessary to enable the component on the "Add-PSSnapin WebAdministration" server.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vladimir Korotenko, 2020-03-02
@firedragon

What router do you have? Might be worth it to do it?
https://habr.com/ru/post/81396/
There, in the ACL, you can specify the working time interval
or create rules using the shiduler, see the end of the file
https://docs.microsoft.com/en-us/iis/configuration. ..

X

xmoonlight, 2020-03-02
@xmoonlight

I write the solution in the "forehead" as a last resort.
We put the cron++ program and execute any commands or shell script at the specified time (by events, etc.).
We write firewall rules in two different bat/cmd files and run them when you need to enable or disable access.

A

Alexey Dmitriev, 2020-03-02
@SignFinder

Powershell allows you to manage Windows Firewall.
Accordingly, put scripts in the task scheduler that create or enable and remove or disable the corresponding blocking rules.