I have a Linux box running in AWS EC2 with just one interface - eht0.
This interface connected to private subnet 172.16.0.0 and has an IP 10.95.114.69 on it.
All hosts from subnet are reachable from this Linux box.
This box terminates IPSec tunnel with subnet 10.0.77.0 behind it.
I can reach any hosts from that subnet from this Linux box and can reach that Linux box from this subnet.
The idea is that this box NAT traffic from IPSec and pass it to 172.16.0.0 network from it's own source.
I add bunch of the rules to trace packets:
firewall-cmd --direct --get-all-rule | grep 10.0.77
ipv4 mangle POSTROUTING_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'MANGLE POST Where is my packet? '
ipv4 filter OUTPUT_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'OUT Where is my packet?'
ipv4 nat POSTROUTING_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'NAT POST Where is my packet?'
ipv4 nat POSTROUTING_direct 3 -s 10.0.77.0/24 -j MASQUERADE
ipv4 mangle FORWARD_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'MANGLE FORWARD Where is my packet? '
ipv4 mangle INPUT_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'MANGLE INPUT Where is my packet? '
ipv4 nat PREROUTING_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'PRE Where is my packet?'
ipv4 filter INPUT_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'INPUT Where is my packet?'
ipv4 filter FORWARD_direct 3 -s 10.0.77.0/24 -j LOG --log-prefix 'FORWARD Where is my packet?'
And... I see only 'PRE Where is my packet?' in the logs.
For me this means that routing decision is not taken.
Packets are not rejected because firewall is tracking all denied packets.
If I assign one of the IPs from subnet 10.0.77.0 to the box itself and use it as a source to reach 172.16.0.0 everything works. But this is a little bit different since packet originated locally.
Any advice where to look?
