57 lines
1.4 KiB
Bash
Executable File
57 lines
1.4 KiB
Bash
Executable File
#!/bin/bash -ex
|
|
|
|
function _iptables() {
|
|
local table="QEMU_$1"; shift
|
|
|
|
iptables -C "$table" "$@" 2> /dev/null || iptables -A "$table" "$@"
|
|
}
|
|
|
|
function newtable() {
|
|
local table="$1"; shift
|
|
|
|
iptables -N "QEMU_$table" "$@" 2> /dev/null || true
|
|
iptables -A "$table" -j "QEMU_$table" "$@"
|
|
}
|
|
|
|
if ! command -v dnsmasq iptables-nft; then
|
|
echo 'missing 1+ dependencies: dnsmasq iptables-nft' >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$EUID" != 0 ]; then
|
|
echo 'this script must be run as root' >&2
|
|
exit 1
|
|
fi
|
|
|
|
BRIDGE="${1-virbr0}"
|
|
DEV="$(ip route | grep -Po '^default.*dev\s+\K\w+')"
|
|
|
|
sysctl net.ipv4.conf.all.forwarding=1
|
|
|
|
if ! ip link show "$BRIDGE" > /dev/null; then
|
|
ip link add "$BRIDGE" type bridge
|
|
fi
|
|
|
|
ip link set dev "$BRIDGE" up
|
|
|
|
ip address flush dev "$BRIDGE"
|
|
ip address add 192.168.122.1/24 dev "$BRIDGE"
|
|
|
|
newtable INPUT
|
|
newtable FORWARD
|
|
newtable OUTPUT
|
|
newtable POSTROUTING -tnat
|
|
|
|
_iptables INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
_iptables INPUT -i virbr0 -j ACCEPT
|
|
_iptables FORWARD -i "$BRIDGE" -o "$DEV" -j ACCEPT
|
|
_iptables FORWARD -i "$DEV" -o "$BRIDGE" -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
_iptables POSTROUTING -o "$DEV" -j MASQUERADE -tnat
|
|
|
|
pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)" \
|
|
|| dnsmasq --bind-dynamic \
|
|
-i "$BRIDGE" \
|
|
-F 192.168.122.2,192.168.122.254,255.255.255.0 \
|
|
-x /var/run/dnsmasq-virbr0.pid
|