This is a TCP/IP packet filter for Windows NT4, Windows 2000, Windows XP and Windows 2003, the filter can block IP packet based on a set of pre-defined rules, the rules can also be modified dynamically. The filter also can map the TCP/UDP traffic from one port to other port.
It can redirect TCP/UDP network traffic, which allows you map TCP/UDP packet from one port to another port, this is useful if the application does not allow you to change the port number, e.g you may want to change the NetBIOS session port from 139 to some other port.
Download 3 files (ipfilter.sys, ifsetup.exe, ifcontrol.exe) to your local machine and run "ifsetup /install"
If you want to remove the packet filter, you can run "ifsetup /remove"
Just type "net start ipfilter"
Just type "net stop ipfilter"
Use ifcontrol [display|add|del] to display/add/delete rules
Example:
Display the rules used by the ipfilter:
ifcontrol display
Add a rule:
ifcontrol add "50001;TCP;DROP;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;135-135"
Delete a rule:
ifcontrol del "50001;TCP;DROP;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;135-135"
The configuration is in the registry, under HKLM\System\CurrentControlSet\Services\ipfilter\Parameters, here are some values:
Rule (REG_MULTI_SZ)
Define the rules for the packet filter
TrustLocalNic (REG_DWORD, default value is 1)
If it is set to 1, then all IP packet from local machine to local machine is allowed and rules is bypassed.
BlockPacketByDefault (REG_DWORD, default value is 1)
Define the default action. If there is no rule match an IP packet, then the default action is taken. If this value is set to 1, then the default action is drop, otherwise, the default action is forward.
Rule := Priority;[TCPUDP_RULE|ICMP_RULE]
Priority := number in decimal format(between 0 ~ 2^32-1)
- Rules are sorted by priority, the smaller number represent higher priority, rules with higher priority is applied prior than the rules with lower priority
TCPUDP_RULE := [TCP|UDP];Action;Source_IP_Range_Set;Destination_IP_Range_Set;Source_Port_Range_Set;Destination_Port_Range_Set[;MAP_PORT]
ICMP_RULE := ICMP;Action;Source_IP_Range_Set;Destination_IP_Range_Set;ICMP_Packet_Type_Range_Set
- For ICMP rule, the only valid action is FORWARD or DROP
- ICMP_Packet_Type_Range_Set is the ICMP packet type, for example 8 is for ICMP ECHO
Action:= [FORWARD|DROP|MAPL|MAPR]
- FORWARD means allow the packet to go through
- DROP means discard the packet, this cause the packet either not sent on the wire or not delivered to the application bind to the port
- MAPL means "Map local port", it map the local port to the port specofied in MAP_PORT
- MAPR means "Map remote port", it map the remote port to the port specified in MAP_PORT
- MAP_PORT is optional, only valid if the action is MAPL or MAPR
IP_Range:= START_IP_ADDRESS [|- END_IP_ADDRESS]
- IP_Range represent a group ip address between to address, for example 192.168.0.1-192.168.0.3 includes 3 ip addresses which is 192.168.0.1, 192.168.0.2 and 192.168.0.3
IP_Range_Set:= IP_Range [|, IP_Range_Set]
- IP_Range_Set represent a group of IP_Range
Port_Range:= START_PORT [| - END_PORT]
- Obivious, e.g. 138-139 includes port 138 and 139
Port_Range_Set:= Port_Range [|, Port_Range_Set]
- Port_Range_Set represent a group of Port_Range
TCP;FORWARD;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;0-65535
UDP;FORWARD;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;0-65535
ICMP;FORWARD;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-255
TCP;MAPL;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;445-445;0-65535;1234
TCP;MAPR;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;445-445;1234
Set the following rule on the file server:
ifcontrol add "50000;TCP;MAPL;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;445-445;0-65535;1234"
ifcontrol add "50000;TCP;MAPL;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;139-139;0-65535;1235"
Set the following rule on the client:
ifcontrol add "50000;TCP;MAPR;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;445-445;1234"
ifcontrol add "50000;TCP;MAPR;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;139-139;1235"Now you can run netmon trace and see network traffic, they are talking using port 1234 instead of 445(or 1235 instead of 139) <g>
You can also do the same thing to Terminal Server port 3389 and many other fun stuff.
If there is no rule match the ip packet, the default action is taken. If there exist a rule match the ip packet and the action is drop, the filter no longer look for the next rule and the packet is dropped, otherwise, the packet is forwarded.
If you want to use this tool to block ms-blaster virus, you can add the rules below
50001;UDP;DROP;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;69-69
50001;TCP;DROP;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;69-69
50002;TCP;DROP;0.0.0.0-255.255.255.255;0.0.0.0-255.255.255.255;0-65535;4444-4444
If you have any question about this tool, please email stone.zhong@gmail.com