使用PowerShell脚本管理Hyper-V宿主机上的虚机网卡访问ACL规则

前情

标题也太绕了

The Add-VMNetworkAdapterExtendedAcl cmdlet creates an extended access control list (ACL) for a virtual network adapter. The ACL allows or denies access to a virtual machine network adapter for network packets based on source IP address, destination IP address, protocol, source port, and destination port.

官方文档

其实在单一Hyper-V宿主机上实现对其上运行的VM网络访问限制，主要是对非集群化部署有用，一旦涉及群集部署或者动态迁移，这个功能就没用了。这些规则是写到宿主机里面的，不会跟随VM而迁移。不过，对于边缘部署或者固定节点部署的VM还是有用的。

脚本实现

# 使用PowerShell脚本管理Hyper-V宿主机上的虚机网卡访问ACL规则
# 输入需要配置的虚机名称
Write-Host -NoNewline -ForegroundColor Magenta '请输入要配置防火墙规则的虚机计算机名（如：VLNX******）'
[String]$VM_Name = Read-Host
# 输入需要配置的宿主机名称
Write-Host -NoNewline -ForegroundColor Magenta '请输入目标虚机的宿主机名（如：PHPV******）'
[String]$VM_HostName= Read-Host

# 默认的网关以及域控制器IP
$VM_Gateway = 192.168.100.254
$VM_ADcontrl1 = 192.168.100.1
$VM_ADcontrl2 = 192.168.100.2
$VM_SecAdmin = 192.168.100.10

$VM_Firewall = {
    param($VM_Name)
    # 清除已有规则
    Get-VMNetworkAdapterExtendedAcl -VMName $VM_Name | Remove-VMNetworkAdapterAcl
    Get-VMNetworkAdapterExtendedAcl -VMName $VM_Name | Remove-VMNetworkAdapterExtendedAcl
    
    # 权重为1~10
    # 阻止流量进出
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Deny -Direction Inbound -RemoteIPAddress ANY -Weight 1
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Deny -Direction Outbound -RemoteIPAddress ANY -Weight 1
    
    # 开启ICMP支持
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Inbound -Protocol 1 -Weight 2
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -Protocol 1 -Weight 2
    
    # 开启本机管理SSH端口
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Inbound -RemoteIPAddress Any -Protocol tcp -LocalPort 22 -Weight 4 -Stateful $true
    
    #允许访问网关
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -RemoteIPAddress $VM_Gateway -Protocol tcp -Weight 5 -Stateful $true
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -RemoteIPAddress $VM_Gateway -Protocol udp -Weight 6 -Stateful $true
    
    # 权重为10~99
    # 开启管理端口
    # 允许访问域控制器
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -RemoteIPAddress $VM_ADcontrl1 -Weight 10
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -RemoteIPAddress $VM_ADcontrl2 -Weight 11
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Inbound -RemoteIPAddress $VM_ADcontrl1 -Weight 10
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Inbound -RemoteIPAddress $VM_ADcontrl2 -Weight 11
    
    # 开通WAZUH上传端口
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -RemoteIPAddress $VM_SecAdmin -Protocol tcp -RemotePort 1514 -Weight 20 -Stateful $true
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -RemoteIPAddress $VM_SecAdmin -Protocol tcp -RemotePort 1515 -Weight 21 -Stateful $true
    
    # 权重为100~150
    # 开启访问其他服务的常规端口
    dd-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -Protocol tcp -RemotePort 80 -Weight 100 -Stateful $true
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -Protocol tcp -RemotePort 443 -Weight 101 -Stateful $true
    
    # 权重为150~200
    # 特殊端口的设置
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Inbound -Protocol tcp -LocalPort 10085 -Weight 150 -Stateful $true
    Add-VMNetworkAdapterExtendedAcl -VMName $VM_Name -Action Allow -Direction Outbound -Protocol tcp -RemotePort 9088 -Weight 150 -Stateful $true
    
    # 检查当前规则
    Get-VMNetworkAdapterAcl -VMName $VM_Name | Sort -Property Weight |ft -autosize
    Get-VMNetworkAdapterExtendedAcl -VMName $VM_Name | Sort -Property Weight |ft -autosize
}

Invoke-Command -ComputerName $VM_HostName -ScriptBlock $VM_Firewall -ArgumentList $VM_Name