iptables -t nat -F
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -F
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# # NAT
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# # make sure that we never acidentially let ESP through.
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -N LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -A LOGDROP -j LOG
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -A LOGDROP -j DROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# #
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -I FORWARD 1 --proto 50 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -I FORWARD 2 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -I FORWARD 3 --source 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# # route
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -I INPUT 1 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# # Display the table, so we know it is correct.
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.1.3.0/24         0.0.0.0/0            to:192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    all  --  0.0.0.0/0            192.0.2.0/24        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    esp  --  0.0.0.0/0            0.0.0.0/0           
LOGDROP    all  --  0.0.0.0/0            192.0.2.0/24        
LOGDROP    all  --  192.0.2.0/24         0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain LOGDROP (4 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# echo "initdone"
initdone
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# : ==== cut ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# : ==== tuc ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# ../bin/check-for-core.sh
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
type=AVC msg=audit(1566824781.750:169760): avc:  denied  { write } for  pid=5361 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=942309374 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566824971.384:175929): avc:  denied  { write } for  pid=23155 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=274701067 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566824973.741:176108): avc:  denied  { write } for  pid=25718 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=577755953 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566824973.741:176109): avc:  denied  { write } for  pid=25716 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=577755917 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-48-nat-cp\[root@nic ikev2-48-nat-cp]#