iptables -t nat -F
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -F
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# # NAT
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -t nat -A POSTROUTING --source 192.1.3.209/32 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -t nat -A POSTROUTING --source 192.1.3.210/32 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.63
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# # make sure that we never acidentially let ESP through.
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -N LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -A LOGDROP -j LOG
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -A LOGDROP -j DROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# #
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -I FORWARD 1 --proto 50 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -I FORWARD 2 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -I FORWARD 3 --source 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# # route
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -I INPUT 1 --destination 192.0.2.0/24 -j LOGDROP
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# # Display the table, so we know it is correct.
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.1.3.209          0.0.0.0/0            to:192.1.2.254
SNAT       all  --  192.1.3.210          0.0.0.0/0            to:192.1.2.63
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    all  --  0.0.0.0/0            192.0.2.0/24        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    esp  --  0.0.0.0/0            0.0.0.0/0           
LOGDROP    all  --  0.0.0.0/0            192.0.2.0/24        
LOGDROP    all  --  192.0.2.0/24         0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain LOGDROP (4 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# echo "initdone"
initdone
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# ipsec status | grep eastnet
whack: Pluto is not running (no "/run/pluto/pluto.ctl")
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'ipsec status | grep eastnet' <<<<<<<<<<tuc<<<<<<<<<<# should show no hits
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh '# should show no hits' <<<<<<<<<<tuc<<<<<<<<<<grep INVALID_IKE_SPI /tmp/pluto.log
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'grep INVALID_IKE_SPI /tmp/pluto.log' <<<<<<<<<<tuc<<<<<<<<<<: ==== cut ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# : ==== tuc ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# ../bin/check-for-core.sh
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi' <<<<<<<<<<tuc<<<<<<<<<<: ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-hostpair-01\[root@nic ikev2-hostpair-01]#