Nicolas Massé
3 months ago
5 changed files with 51 additions and 34 deletions
@ -0,0 +1,49 @@ |
|||
#!/bin/bash |
|||
|
|||
set -Eeuo pipefail |
|||
|
|||
# This script is called by libvirt when a VM is started or stopped. |
|||
# It is used to set up and tear down networking for the VM. |
|||
# The script takes two arguments: the VM name and the action (start or stop). |
|||
VM_NAME="$1" |
|||
ACTION="$2" |
|||
|
|||
# Check if the networking configuration file exists for the VM |
|||
if [ ! -f "/etc/libvirt/hooks/qemu.d/${VM_NAME}/iptables" ]; then |
|||
echo "No networking configuration found for VM '$VM_NAME'. Skipping." |
|||
exit 0 |
|||
fi |
|||
|
|||
if [ "$ACTION" = "started" ] || [ "$ACTION" = "reconnect" ]; then |
|||
echo "Setting up networking for VM '$VM_NAME'..." |
|||
|
|||
# Set up iptables rules |
|||
while read -r rule; do |
|||
if [ -z "$rule" ]; then |
|||
continue |
|||
fi |
|||
iptables $rule |
|||
done < "/etc/libvirt/hooks/qemu.d/${VM_NAME}/iptables" |
|||
|
|||
echo "Networking setup complete for VM '$VM_NAME'." |
|||
elif [ "$ACTION" = "stopped" ] || [ "$ACTION" = "disconnect" ]; then |
|||
echo "Tearing down networking for VM '$VM_NAME'..." |
|||
|
|||
# Tear down iptables rules |
|||
while read -r rule; do |
|||
if [ -z "$rule" ]; then |
|||
continue |
|||
fi |
|||
# Replace '-A'/'-I' with '-D' to delete the rule |
|||
rule="${rule/-A/-D}" |
|||
rule="${rule/-I/-D}" |
|||
iptables $rule || echo "Warning: Failed to delete iptables rule: iptables $rule" |
|||
done < "/etc/libvirt/hooks/qemu.d/${VM_NAME}/iptables" |
|||
|
|||
echo "Networking teardown complete for VM '$VM_NAME'." |
|||
else |
|||
echo "Unknown action '$ACTION'. Supported actions are 'started', 'stopped', 'reconnect', and 'disconnect'." |
|||
echo "Skipping." |
|||
fi |
|||
|
|||
exit 0 |
|||
@ -0,0 +1,2 @@ |
|||
-t nat -A PREROUTING -p tcp --dport 80 -d 192.168.2.75 -j DNAT --to-destination 192.168.122.2:80 |
|||
-t filter -I LIBVIRT_FWI -d 192.168.122.2 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT |
|||
@ -1,32 +0,0 @@ |
|||
#!/usr/sbin/nft -f |
|||
|
|||
destroy table ip libvirt-nat |
|||
|
|||
## |
|||
## TODO |
|||
## |
|||
|
|||
table ip libvirt-nat { |
|||
|
|||
chain FORWARD { |
|||
type filter hook forward priority filter - 10 |
|||
policy accept |
|||
|
|||
# Accept packets related to existing connections |
|||
ct state invalid counter drop |
|||
ct state { established, related } counter accept |
|||
|
|||
oifname "virbr0" ip daddr 192.168.122.2/24 tcp dport { 80, 9090 } ct state { new } counter accept |
|||
} |
|||
|
|||
chain Pre-Routing { |
|||
type nat hook prerouting priority dstnat - 10 |
|||
policy accept |
|||
|
|||
# Redirect HTTP connections to the Nextcloud VM |
|||
iifname != "virbr0" ip daddr 192.168.2.0/24 tcp dport 80 counter dnat to 192.168.122.2 |
|||
|
|||
# Redirect Cockpit connections to the Nextcloud VM |
|||
iifname != "virbr0" ip daddr 192.168.2.0/24 tcp dport 9091 counter dnat to 192.168.122.2:9090 |
|||
} |
|||
} |
|||
@ -1 +0,0 @@ |
|||
include "/etc/nftables/libvirt.nft" |
|||
Loading…
Reference in new issue