iptables -t nat -F
nic #
 iptables -F
nic #
 # NAT
nic #
 iptables -t nat -A POSTROUTING -s 192.1.3.0/24 -p udp --sport 4500 -j SNAT --to-source 192.1.2.254:3500-3700
nic #
 iptables -t nat -A POSTROUTING -s 192.1.3.0/24 -p udp --sport 500 -j SNAT --to-source 192.1.2.254:2500-2700
nic #
 iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254
nic #
 # make sure that we never acidentially let ESP through.
nic #
 iptables -N LOGDROP
nic #
 iptables -A LOGDROP -j LOG
nic #
 iptables -A LOGDROP -j DROP
nic #
 #
nic #
 iptables -I FORWARD 1 --proto 50 -j LOGDROP
nic #
 iptables -I FORWARD 2 --destination 192.0.2.0/24 -j LOGDROP
nic #
 iptables -I FORWARD 3 --source 192.0.2.0/24 -j LOGDROP
nic #
 # route
nic #
 iptables -I INPUT 1 --destination 192.0.2.0/24 -j LOGDROP
nic #
 # Display the table, so we know it is correct.
nic #
 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       udp  --  192.1.3.0/24         0.0.0.0/0            udp spt:4500 to:192.1.2.254:3500-3700
SNAT       udp  --  192.1.3.0/24         0.0.0.0/0            udp spt:500 to:192.1.2.254:2500-2700
SNAT       all  --  192.1.3.0/24         0.0.0.0/0            to:192.1.2.254
nic #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    all  --  0.0.0.0/0            192.0.2.0/24        
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOGDROP    esp  --  0.0.0.0/0            0.0.0.0/0           
LOGDROP    all  --  0.0.0.0/0            192.0.2.0/24        
LOGDROP    all  --  192.0.2.0/24         0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain LOGDROP (4 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
nic #
 echo "initdone"
initdone

