#!/bin/sh kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -t nat -F kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -F kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# # NAT kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254 kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# # make sure that we never acidentially let ESP through. kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -N LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -A LOGDROP -j LOG kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -A LOGDROP -j DROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -I FORWARD 1 --proto 50 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# #iptables -I FORWARD 2 --destination 192.0.2.0/24 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# #iptables -I FORWARD 3 --source 192.0.2.0/24 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# # route kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# #iptables -I INPUT 1 --destination 192.0.2.0/24 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# # Display the table, so we know it is correct. kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.1.3.0/24 0.0.0.0/0 to:192.1.2.254 kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination LOGDROP esp -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LOGDROP (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# echo done. done. kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# : ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# # on east this should show 2 sets of in/fwd/out policies kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# ../../pluto/bin/ipsec-look.sh kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# # check both connections still work on east kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01]# hostname | grep east > /dev/null && ping -c2 192.0.2.101 kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'hostname | grep east > /dev/null && ping -c2 192.0.2.101' <<<<<<<<< /dev/null && ping -c2 192.0.2.102 kroot@swantest:/home/build/libreswan/testing/pluto/ikev1-psk-dual-behind-nat-01\[root@nic ikev1-psk-dual-behind-nat-01 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'hostname | grep east > /dev/null && ping -c2 192.0.2.102' <<<<<<<<<>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec whack --trafficstatus' <<<<<<<<<