55 lines
1.2 KiB
Bash
Executable File
55 lines
1.2 KiB
Bash
Executable File
#!/bin/bash -ex
|
|
|
|
function _iptables() {
|
|
local table="QEMU_$1"; shift
|
|
|
|
iptables -C "$table" "$@" 2> /dev/null || iptables -A "$table" "$@"
|
|
}
|
|
|
|
function newtable() {
|
|
local table="$1"; shift
|
|
|
|
iptables -N "QEMU_$table" "$@" 2> /dev/null || true
|
|
iptables -A "$table" -j "QEMU_$table" "$@"
|
|
}
|
|
|
|
if ! command -v dnsmasq iptables-nft; then
|
|
echo 'missing 1+ dependencies: dnsmasq iptables-nft' >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$EUID" != 0 ]; then
|
|
echo 'this script must be run as root' >&2
|
|
exit 1
|
|
fi
|
|
|
|
BRIDGE="${1-virbr0}"
|
|
|
|
sysctl net.ipv4.conf.all.forwarding=1
|
|
|
|
if ! ip link show "$BRIDGE" > /dev/null; then
|
|
ip link add "$BRIDGE" type bridge
|
|
fi
|
|
|
|
ip link set dev "$BRIDGE" up
|
|
|
|
ip address flush dev "$BRIDGE"
|
|
ip address add 192.168.123.1/24 dev "$BRIDGE"
|
|
|
|
# TODO: firewalld/nft?
|
|
newtable INPUT
|
|
newtable FORWARD
|
|
newtable POSTROUTING -tnat
|
|
|
|
_iptables INPUT -i virbr0 -j ACCEPT
|
|
_iptables FORWARD -i virbr0 -j ACCEPT
|
|
_iptables FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
_iptables POSTROUTING -t nat -i "$BRIDGE" -j MASQUERADE
|
|
|
|
pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)" \
|
|
|| dnsmasq -z \
|
|
-i "$BRIDGE" \
|
|
-F 192.168.123.2,192.168.123.254,255.255.255.0 \
|
|
-x /var/run/dnsmasq-virbr0.pid
|