{"id":7363,"date":"2026-03-26T16:56:14","date_gmt":"2026-03-26T15:56:14","guid":{"rendered":"https:\/\/workboot.fr\/ciela\/?page_id=7363"},"modified":"2026-03-30T15:44:35","modified_gmt":"2026-03-30T14:44:35","slug":"tp2_vb_reseau","status":"publish","type":"page","link":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/","title":{"rendered":"TP2_VB_FireWall"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\ud83d\udd52 : 3 h maximum<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Utilisation d&rsquo;iptables  le firewall de Linux qui permet de g\u00e9rer et prot\u00e9ger une machine<\/li>\n<\/ul>\n\n\n\n<nav aria-label=\"Table des mati\u00e8res\" class=\"wp-block-table-of-contents\"><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#le-protocole-de-ping-icmp-sous-controle\">Le protocole de ping \u00ab\u00a0icmp\u00a0\u00bb sous contr\u00f4le <\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#pour-interdire-icmp-ping\">Pour interdire icmp (ping)<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#pour-enlever-la-regle-delete-autoriser-le-ping\">Pour enlever la r\u00e8gle (Delete) , autoriser le ping<\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#pourquoi-interdire-le-protocole-icmp-sur-une-machine-en-cybersecurite\">Pourquoi interdire le protocole icmp sur une machine (en cybers\u00e9curit\u00e9) <\/a><\/li><\/ol><\/li><\/ol><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#ssh-vers-m7\">ssh vers m7 <\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#machine-m7\">machine m7<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#machine-m1-ou-mx\">machine m1 ou mx !<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#bloquons-m6\">bloquons m6 <\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#une-autre-possibilite-d-enlever-les-regles-par-ligne\">une autre possibilit\u00e9 d&rsquo;enlever les r\u00e8gles par ligne <\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#faire-un-test-et-proposer-des-exemples\">Faire un test et proposer des exemples<\/a><\/li><\/ol><\/li><\/ol><\/li><\/ol><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#autoriser-internet-sur-tous-les-postes-nat\">Autoriser internet sur tous les postes (nat)<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#autoriser-le-partage-internet-que-sur-r0\">Autoriser le partage internet que sur R0<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#autoriser-le-partage-internet-que-sur-r1\">Autoriser le partage internet que sur R1<\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#verifier-les-regles-et-supprimer-la-regle-autorisant-r0-a-acceder-a-internet\">V\u00e9rifier les r\u00e8gles , et supprimer la r\u00e8gle autorisant R0 \u00e0 acc\u00e9der \u00e0 internet.<\/a><\/li><\/ol><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#tester-de-bloquer-la-mac-adresse-de-la-machine-m2\">Tester de bloquer la mac adresse de la machine m2<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#sauvegarder-les-regles-iptables\">Sauvegarder les r\u00e8gles iptables<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#quelques-scripts-pour-aller-plus-vite-et-faire-des-tests\">Quelques scripts pour aller plus vite et faire des tests<\/a><\/li><\/ol><\/nav>\n\n\n\n<p class=\"wp-block-paragraph\">ufw  s&rsquo;appuie sur iptables pour faire le firewall sous linux<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sur Linux, la v\u00e9ritable capacit\u00e9 de pare-feu vient du sous-syst\u00e8me&nbsp;<strong>netfilter<\/strong>&nbsp;int\u00e9gr\u00e9 au noyau. iptables est l&rsquo;outil en ligne de commande qui dialogue directement avec netfilter, tandis que UFW (Uncomplicated Firewall) a \u00e9t\u00e9 con\u00e7u pour faciliter la configuration d&rsquo;iptables avec des commandes plus simples.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"> Dans ce tp on va s\u2019int\u00e9resser \u00e0 iptables .<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Il faut r\u00e9cup\u00e8rer la salle du tp pr\u00e9c\u00e8dent.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Avec m1 \u00e0 m3 r\u00e9seau R0 et m4 \u00e0 m6 r\u00e9seau R1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Nous disposons de m7 qui \u00e0 iptables d&rsquo;install\u00e9 , le firewall linux !<\/p>\n\n\n\n<h2 id=\"le-protocole-de-ping-icmp-sous-controle\" class=\"wp-block-heading\">Le protocole de ping \u00ab\u00a0icmp\u00a0\u00bb sous contr\u00f4le <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">m7 ou il y a iptables va bloquer les requ\u00eates icmp et les r\u00e9tablir .<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">on testera le ping de m7 depuis m1, m2 \u00e0 m6<\/p>\n\n\n\n<h3 id=\"pour-interdire-icmp-ping\" class=\"wp-block-heading\">Pour interdire icmp (ping)<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">on peut v\u00e9rifier les r\u00e9gles iptables avec l&rsquo;option -L<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# iptables -L                                                  \nChain INPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nREJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable\n\nChain FORWARD (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT\nroot@m7:~# iptables -L                                                  \nChain INPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nREJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable\n\nChain FORWARD (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         \n<\/code><\/pre>\n\n\n\n<h3 id=\"pour-enlever-la-regle-delete-autoriser-le-ping\" class=\"wp-block-heading\">Pour enlever la r\u00e8gle (Delete) , autoriser le ping<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -D INPUT -p icmp --icmp-type echo-request -j REJECT<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# iptables -D INPUT -p icmp --icmp-type echo-request -j REJECT\nroot@m7:~# iptables -L\nChain INPUT (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain FORWARD (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nroot@m7:~# \n<\/code><\/pre>\n\n\n\n<h4 id=\"pourquoi-interdire-le-protocole-icmp-sur-une-machine-en-cybersecurite\" class=\"wp-block-heading\">Pourquoi interdire le protocole icmp sur une machine (en cybers\u00e9curit\u00e9) <\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">iptables poss\u00e8de des r\u00e8gles, OUTPUT (SORTIE), INPUT  (ENTREE) et FORWARD (a travers)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT\nroot@m7:~# iptables -L OUTPUT \nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         \n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">root@m7:~# iptables -L INPUT \nChain INPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nREJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable<\/mark>\nroot@m7:~# iptables -L FORWARD \nChain FORWARD (policy ACCEPT)\ntarget     prot opt source               destination         \nroot@m7:~# \n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">on voit ici qu&rsquo;une r\u00e8gle en entr\u00e9e concernant icmp est rejet\u00e9e !<\/p>\n\n\n\n<h2 id=\"ssh-vers-m7\" class=\"wp-block-heading\">ssh vers m7 <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Nous allons nous connecter sur m7 depuis m1 \u00e0 m6, on va se concentrer sur m1<\/p>\n\n\n\n<h3 id=\"machine-m7\" class=\"wp-block-heading\">machine m7<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">sur la machine m7 v\u00e9rifier que le service sshd est bien activ\u00e9 ! (serveur ssh)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# systemctl status ssh    \n\u25cf ssh.service - OpenBSD Secure Shell server\n     Loaded: loaded (\/lib\/systemd\/system\/ssh.service; enabled; vendor preset: enabled)\n     Active: active (running) since Mon 2026-03-30 11:09:33 CEST; 1h 23min ago\n       Docs: man:sshd(8)\n             man:sshd_config(5)\n    Process: 506 ExecStartPre=\/usr\/sbin\/sshd -t (code=exited, status=0\/SUCCESS)\n   Main PID: 509 (sshd)\n      Tasks: 1 (limit: 1115)\n     Memory: 6.6M\n        CPU: 779ms\n     CGroup: \/system.slice\/ssh.service\n             \u2514\u2500509 sshd: \/usr\/sbin\/sshd -D &#91;listener] 0 of 10-100 startups\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">on voit ici que c&rsquo;est ok ! <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"653\" src=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png\" alt=\"\" class=\"wp-image-7401\" srcset=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png 800w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7-300x245.png 300w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7-768x627.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/a><\/figure>\n\n\n\n<h3 id=\"machine-m1-ou-mx\" class=\"wp-block-heading\">machine m1 ou mx !<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">les machines m1 \u00e0 m6 sont de simple cliente et doit disposer de ssh client , le cas de m6 ci-dessous<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m6_ssh_m7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"653\" src=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m6_ssh_m7.png\" alt=\"\" class=\"wp-image-7402\" srcset=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m6_ssh_m7.png 800w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m6_ssh_m7-300x245.png 300w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m6_ssh_m7-768x627.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/a><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code># on utilise la fonction whereis \nwhereis ssh # et on vois que le client ssh est bien disponible<\/code><\/pre>\n\n\n\n<h3 id=\"bloquons-m6\" class=\"wp-block-heading\">bloquons m6 <\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# iptables -A INPUT -s 192.168.1.6 -p tcp --dport 22 -j DROP\nroot@m7:~# iptables -L\nChain INPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nREJECT     icmp --  anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable\nDROP       tcp  --  192.168.1.6          anywhere             tcp dpt:ssh\n\nChain FORWARD (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         \nroot@m7:~# \n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">pour supprimer cette r\u00e8gle:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -D INPUT -s 192.168.1.6 -p tcp --dport 22 -j DROP<\/code><\/pre>\n\n\n\n<h4 id=\"une-autre-possibilite-d-enlever-les-regles-par-ligne\" class=\"wp-block-heading\">une autre possibilit\u00e9 d&rsquo;enlever les r\u00e8gles par ligne <\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -L INPUT --line-numbers -n  # en d\u00e9duire le num\u00e9ro de ligne \niptables -D INPUT &lt;num\u00e9ro&gt;  # supprimer la r\u00e8gle <\/code><\/pre>\n\n\n\n<h5 id=\"faire-un-test-et-proposer-des-exemples\" class=\"wp-block-heading\">Faire un test et proposer des exemples<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Bloquer une ip <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -s 192.168.1.6 -j DROP<\/code><\/pre>\n\n\n\n<h2 id=\"autoriser-internet-sur-tous-les-postes-nat\" class=\"wp-block-heading\">Autoriser internet sur tous les postes (nat)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Pour permettre le partage  internet il faut activer le bit de net.ipv4.ip_forward=1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysctl -w net.ipv4.ip_forward=1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">pour le rendre d\u00e9finitif \u00e0 chaque reboot <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"net.ipv4.ip_forward=1\" &gt;&gt; \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">ou d\u00e9-commenter la ligne du fichier \/etc\/sysctl.conf<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/netipv4.ip_forward.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/netipv4.ip_forward-1024x521.png\" alt=\"\" class=\"wp-image-7451\" srcset=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/netipv4.ip_forward-1024x521.png 1024w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/netipv4.ip_forward-300x153.png 300w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/netipv4.ip_forward-768x391.png 768w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/netipv4.ip_forward.png 1366w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">tester et valider votre partage<\/p>\n\n\n\n<h2 id=\"autoriser-le-partage-internet-que-sur-r0\" class=\"wp-block-heading\">Autoriser le partage internet que sur R0<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o enp0s3 -j MASQUERADE\n<\/code><\/pre>\n\n\n\n<h2 id=\"autoriser-le-partage-internet-que-sur-r1\" class=\"wp-block-heading\">Autoriser le partage internet que sur R1<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o enp0s3 -j MASQUERADE\n<\/code><\/pre>\n\n\n\n<h4 id=\"verifier-les-regles-et-supprimer-la-regle-autorisant-r0-a-acceder-a-internet\" class=\"wp-block-heading\">V\u00e9rifier les r\u00e8gles , et supprimer la r\u00e8gle autorisant R0 \u00e0 acc\u00e9der \u00e0 internet.<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>root@m7:~# iptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o enp0s3 -j MASQUERADE  # R0  pas R1\nroot@m7:~# iptables -t nat -L -n -v\nChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    1    84 MASQUERADE  all  --  *      enp0s3  192.168.0.0\/24       0.0.0.0\/0           \nroot@m7:~# iptables -t nat -D POSTROUTING 1\nroot@m7:~# iptables -t nat -L -n -v\nChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \nroot@m7:~# \n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 id=\"bloquer-sur-le-reseau-local-une-adresse-mac\" class=\"wp-block-heading\">Bloquer sur le r\u00e9seau local une adresse MAC <\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP<\/code><\/pre>\n\n\n\n<h2 id=\"tester-de-bloquer-la-mac-adresse-de-la-machine-m2\" class=\"wp-block-heading\">Tester de bloquer la mac adresse de la machine m2<\/h2>\n\n\n\n<h2 id=\"sauvegarder-les-regles-iptables\" class=\"wp-block-heading\">Sauvegarder les r\u00e8gles iptables<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sous Debian il est plus simple d&rsquo;utiliser iptables-persistent :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Debian \/ Ubuntu\napt update\napt install iptables-persistent<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">quand on veut mettre \u00e0 jour les r\u00e8gles qui sont activ\u00e9es sur la machine il existe la commande : netfilter-persistent save<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>netfilter-persistent save<\/code><\/pre>\n\n\n\n<h2 id=\"quelques-scripts-pour-aller-plus-vite-et-faire-des-tests\" class=\"wp-block-heading\">Quelques scripts pour aller plus vite et faire des tests<\/h2>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>mettre net.ipv4.ip_forward=1<\/summary>\n<pre class=\"wp-block-code\"><code>sysctl -w net.ipv4.ip_forward=1<\/code><\/pre>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>partage internet pour tout le r\u00e9seau local <\/summary>\n<p class=\"wp-block-paragraph\">iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>partage internet pour R0 seulement<\/summary>\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o enp0s3 -j MASQUERADE\n<\/code><\/pre>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>partage internet pour R1 seulement<\/summary>\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o enp0s3 -j MASQUERADE\n<\/code><\/pre>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>liste des POSTROUTING nat<\/summary>\n<pre class=\"wp-block-code\"><code>iptables -t nat -L POSTROUTING -n --line-numbers<\/code><\/pre>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>effacer la ligne 1 postrouting<\/summary>\n<pre class=\"wp-block-code\"><code>iptables -t nat -D POSTROUTING 1\n<\/code><\/pre>\n<\/details>\n\n\n\n<p class=\"wp-block-paragraph\">La machine m7 \u00e0 la fin est op\u00e9rationnelle :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/final_iptables.png\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"653\" src=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/final_iptables.png\" alt=\"\" class=\"wp-image-7454\" srcset=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/final_iptables.png 800w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/final_iptables-300x245.png 300w, https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/final_iptables-768x627.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Le bit net.ipV4_ip_forward est toujours \u00e0 1 (passerelle)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Et le partage nat d&rsquo;internet est bien r\u00e9alis\u00e9 .<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udd52 : 3 h maximum ufw s&rsquo;appuie sur iptables pour faire le firewall sous linux Sur Linux, la v\u00e9ritable capacit\u00e9 de pare-feu vient du sous-syst\u00e8me&nbsp;netfilter&nbsp;int\u00e9gr\u00e9 au noyau. iptables est l&rsquo;outil [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","_uag_custom_page_level_css":"","footnotes":""},"class_list":["post-7363","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>TP2_VB_FireWall - workboot<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TP2_VB_FireWall - workboot\" \/>\n<meta property=\"og:description\" content=\"\ud83d\udd52 : 3 h maximum ufw s&rsquo;appuie sur iptables pour faire le firewall sous linux Sur Linux, la v\u00e9ritable capacit\u00e9 de pare-feu vient du sous-syst\u00e8me&nbsp;netfilter&nbsp;int\u00e9gr\u00e9 au noyau. iptables est l&rsquo;outil [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/\" \/>\n<meta property=\"og:site_name\" content=\"workboot\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-30T14:44:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"653\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:label1\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/tp2_vb_reseau\\\/\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/tp2_vb_reseau\\\/\",\"name\":\"TP2_VB_FireWall - workboot\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/tp2_vb_reseau\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/tp2_vb_reseau\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/m1_ssh_m7.png\",\"datePublished\":\"2026-03-26T15:56:14+00:00\",\"dateModified\":\"2026-03-30T14:44:35+00:00\",\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/workboot.fr\\\/ciela\\\/tp2_vb_reseau\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/tp2_vb_reseau\\\/#primaryimage\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/m1_ssh_m7.png\",\"contentUrl\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/m1_ssh_m7.png\",\"width\":800,\"height\":653},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#website\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/\",\"name\":\"workboot\",\"description\":\"Open Source, Open Minds \",\"publisher\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#organization\",\"name\":\"workboot\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/logo_ciel-dorian-1.png\",\"contentUrl\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/logo_ciel-dorian-1.png\",\"width\":1024,\"height\":950,\"caption\":\"workboot\"},\"image\":{\"@id\":\"https:\\\/\\\/workboot.fr\\\/ciela\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TP2_VB_FireWall - workboot","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/","og_locale":"fr_FR","og_type":"article","og_title":"TP2_VB_FireWall - workboot","og_description":"\ud83d\udd52 : 3 h maximum ufw s&rsquo;appuie sur iptables pour faire le firewall sous linux Sur Linux, la v\u00e9ritable capacit\u00e9 de pare-feu vient du sous-syst\u00e8me&nbsp;netfilter&nbsp;int\u00e9gr\u00e9 au noyau. iptables est l&rsquo;outil [&hellip;]","og_url":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/","og_site_name":"workboot","article_modified_time":"2026-03-30T14:44:35+00:00","og_image":[{"width":800,"height":653,"url":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png","type":"image\/png"}],"twitter_misc":{"Dur\u00e9e de lecture estim\u00e9e":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/","url":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/","name":"TP2_VB_FireWall - workboot","isPartOf":{"@id":"https:\/\/workboot.fr\/ciela\/#website"},"primaryImageOfPage":{"@id":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#primaryimage"},"image":{"@id":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#primaryimage"},"thumbnailUrl":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png","datePublished":"2026-03-26T15:56:14+00:00","dateModified":"2026-03-30T14:44:35+00:00","inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/workboot.fr\/ciela\/tp2_vb_reseau\/#primaryimage","url":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png","contentUrl":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2026\/03\/m1_ssh_m7.png","width":800,"height":653},{"@type":"WebSite","@id":"https:\/\/workboot.fr\/ciela\/#website","url":"https:\/\/workboot.fr\/ciela\/","name":"workboot","description":"Open Source, Open Minds ","publisher":{"@id":"https:\/\/workboot.fr\/ciela\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/workboot.fr\/ciela\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/workboot.fr\/ciela\/#organization","name":"workboot","url":"https:\/\/workboot.fr\/ciela\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/workboot.fr\/ciela\/#\/schema\/logo\/image\/","url":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2025\/05\/logo_ciel-dorian-1.png","contentUrl":"https:\/\/workboot.fr\/ciela\/wp-content\/uploads\/2025\/05\/logo_ciel-dorian-1.png","width":1024,"height":950,"caption":"workboot"},"image":{"@id":"https:\/\/workboot.fr\/ciela\/#\/schema\/logo\/image\/"}}]}},"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"admin","author_link":"https:\/\/workboot.fr\/ciela\/author\/admin\/"},"uagb_comment_info":0,"uagb_excerpt":"\ud83d\udd52 : 3 h maximum ufw s&rsquo;appuie sur iptables pour faire le firewall sous linux Sur Linux, la v\u00e9ritable capacit\u00e9 de pare-feu vient du sous-syst\u00e8me&nbsp;netfilter&nbsp;int\u00e9gr\u00e9 au noyau. iptables est l&rsquo;outil [&hellip;]","_links":{"self":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages\/7363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/comments?post=7363"}],"version-history":[{"count":48,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages\/7363\/revisions"}],"predecessor-version":[{"id":7459,"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/pages\/7363\/revisions\/7459"}],"wp:attachment":[{"href":"https:\/\/workboot.fr\/ciela\/wp-json\/wp\/v2\/media?parent=7363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}