#!/bin/sh
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -t nat -F
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -F
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# # NAT
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# # make sure that we never acidentially let ESP through.
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -N LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -A LOGDROP -j LOG
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -A LOGDROP -j DROP
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -I FORWARD 1 --proto 50 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# #iptables -I FORWARD 2 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# #iptables -I FORWARD 3 --source 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# # route
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# #iptables -I INPUT 1 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# # Display the table, so we know it is correct.
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.1.3.0/24         0.0.0.0/0            to:192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    esp  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain LOGDROP (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# echo done.
done.
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# : ==== cut ====
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# ipsec auto --status
whack: Pluto is not running (no "/run/pluto/pluto.ctl")
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec auto --status' <<<<<<<<<<tuc<<<<<<<<<<: ==== tuc ====
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# grep 'Result using RFC 3947' /tmp/pluto.log
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'grep 'Result using RFC 3947' /tmp/pluto.log' <<<<<<<<<<tuc<<<<<<<<<<../bin/check-for-core.sh
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
type=AVC msg=audit(1566844133.486:265910): avc:  denied  { write } for  pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566844133.996:266013): avc:  denied  { write } for  pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/nat-pluto-08\[root@nic nat-pluto-08]#