#!/bin/sh
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -t nat -F
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -F
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# # NAT
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# # make sure that we never acidentially let ESP through.
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -N LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -A LOGDROP -j LOG
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -A LOGDROP -j DROP
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -I FORWARD 1 --proto 50 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# #iptables -I FORWARD 2 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# #iptables -I FORWARD 3 --source 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# # route
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# #iptables -I INPUT 1 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# # Display the table, so we know it is correct.
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.1.3.0/24         0.0.0.0/0            to:192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    esp  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain LOGDROP (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# echo done.
done.
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# ../../pluto/bin/ipsec-look.sh
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# # a tunnel should have established
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# grep "negotiated connection" /tmp/pluto.log
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'grep "negotiated connection" /tmp/pluto.log' <<<<<<<<<<tuc<<<<<<<<<<: ==== cut ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# ipsec auto --status
whack: Pluto is not running (no "/run/pluto/pluto.ctl")
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec auto --status' <<<<<<<<<<tuc<<<<<<<<<<: ==== tuc ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# ../bin/check-for-core.sh
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
type=AVC msg=audit(1566825559.941:204904): avc:  denied  { write } for  pid=30480 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=578160073 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-22-nat-poc-cop\[root@nic newoe-22-nat-poc-cop]#