Blocking IPs or even countries on Windows systems using IPSec

First get IPSec installed. It comes with XP’s SP2 so if you didn’t do it yet, install SP2. If you’re on a server version of windows, this can be tricky as you first install IPSec on a XP then you run the command from XP’s “Program Files/Support” folder.

So, to block one single IP, write this in command prompt:

ipseccmd -f [IP.YOU.WANT.BLOCK/255.254.0.0=*]


This will block the B class IP you specify in the command.

To see if your blocking attempt was a success, type:


ipseccmd show filters

If you see the IP you typed in the previous command, you’re good.

Now let’s block a whole country. First obtain a list with the country’s IPs you want to block. The easiest way possibly is still blockacountry.com, generate the .htaccess then remove the unwanted words with a text editor using batch replace. Then create a .bat file and for every IP you got from the above website, write on separate lines

ipseccmd -f [IP.YOU.WANT.BLOCK/255.254.0.0=*]


On a side note, blockacountry.com provides the IPs in CDIR format. Since IPSec is a Microsoft application and due to this, is a bit dumb, you have to convert the IPs from CDIR format to standard plus subnet mask.
I explain with an example:


127.0.0.1/15 becomes 127.0.0.1/255.254.0.0