Nicolas Massé
3 months ago
5 changed files with 51 additions and 34 deletions
@ -0,0 +1,49 @@ |
|||||
|
#!/bin/bash |
||||
|
|
||||
|
set -Eeuo pipefail |
||||
|
|
||||
|
# This script is called by libvirt when a VM is started or stopped. |
||||
|
# It is used to set up and tear down networking for the VM. |
||||
|
# The script takes two arguments: the VM name and the action (start or stop). |
||||
|
VM_NAME="$1" |
||||
|
ACTION="$2" |
||||
|
|
||||
|
# Check if the networking configuration file exists for the VM |
||||
|
if [ ! -f "/etc/libvirt/hooks/qemu.d/${VM_NAME}/iptables" ]; then |
||||
|
echo "No networking configuration found for VM '$VM_NAME'. Skipping." |
||||
|
exit 0 |
||||
|
fi |
||||
|
|
||||
|
if [ "$ACTION" = "started" ] || [ "$ACTION" = "reconnect" ]; then |
||||
|
echo "Setting up networking for VM '$VM_NAME'..." |
||||
|
|
||||
|
# Set up iptables rules |
||||
|
while read -r rule; do |
||||
|
if [ -z "$rule" ]; then |
||||
|
continue |
||||
|
fi |
||||
|
iptables $rule |
||||
|
done < "/etc/libvirt/hooks/qemu.d/${VM_NAME}/iptables" |
||||
|
|
||||
|
echo "Networking setup complete for VM '$VM_NAME'." |
||||
|
elif [ "$ACTION" = "stopped" ] || [ "$ACTION" = "disconnect" ]; then |
||||
|
echo "Tearing down networking for VM '$VM_NAME'..." |
||||
|
|
||||
|
# Tear down iptables rules |
||||
|
while read -r rule; do |
||||
|
if [ -z "$rule" ]; then |
||||
|
continue |
||||
|
fi |
||||
|
# Replace '-A'/'-I' with '-D' to delete the rule |
||||
|
rule="${rule/-A/-D}" |
||||
|
rule="${rule/-I/-D}" |
||||
|
iptables $rule || echo "Warning: Failed to delete iptables rule: iptables $rule" |
||||
|
done < "/etc/libvirt/hooks/qemu.d/${VM_NAME}/iptables" |
||||
|
|
||||
|
echo "Networking teardown complete for VM '$VM_NAME'." |
||||
|
else |
||||
|
echo "Unknown action '$ACTION'. Supported actions are 'started', 'stopped', 'reconnect', and 'disconnect'." |
||||
|
echo "Skipping." |
||||
|
fi |
||||
|
|
||||
|
exit 0 |
||||
@ -0,0 +1,2 @@ |
|||||
|
-t nat -A PREROUTING -p tcp --dport 80 -d 192.168.2.75 -j DNAT --to-destination 192.168.122.2:80 |
||||
|
-t filter -I LIBVIRT_FWI -d 192.168.122.2 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT |
||||
@ -1,32 +0,0 @@ |
|||||
#!/usr/sbin/nft -f |
|
||||
|
|
||||
destroy table ip libvirt-nat |
|
||||
|
|
||||
## |
|
||||
## TODO |
|
||||
## |
|
||||
|
|
||||
table ip libvirt-nat { |
|
||||
|
|
||||
chain FORWARD { |
|
||||
type filter hook forward priority filter - 10 |
|
||||
policy accept |
|
||||
|
|
||||
# Accept packets related to existing connections |
|
||||
ct state invalid counter drop |
|
||||
ct state { established, related } counter accept |
|
||||
|
|
||||
oifname "virbr0" ip daddr 192.168.122.2/24 tcp dport { 80, 9090 } ct state { new } counter accept |
|
||||
} |
|
||||
|
|
||||
chain Pre-Routing { |
|
||||
type nat hook prerouting priority dstnat - 10 |
|
||||
policy accept |
|
||||
|
|
||||
# Redirect HTTP connections to the Nextcloud VM |
|
||||
iifname != "virbr0" ip daddr 192.168.2.0/24 tcp dport 80 counter dnat to 192.168.122.2 |
|
||||
|
|
||||
# Redirect Cockpit connections to the Nextcloud VM |
|
||||
iifname != "virbr0" ip daddr 192.168.2.0/24 tcp dport 9091 counter dnat to 192.168.122.2:9090 |
|
||||
} |
|
||||
} |
|
||||
@ -1 +0,0 @@ |
|||||
include "/etc/nftables/libvirt.nft" |
|
||||
Loading…
Reference in new issue