#!/bin/sh
#
# add to /etc/network/interfaces e.g.
# iface wlan0
#   post-up /path/to/iptables-libvirt.sh disable
#   pre-down /path/to/iptables-libvirt.sh enable

CMD="$1"
if [ -z "${CMD}" ]; then
  CMD="disable";
fi

case "$CMD" in
 enable )
  echo "Enabling"
  OP="-D"
  POS="1"
  ;;
 disable )
  echo "Disabling"
  OP="-I"
  ;;
esac
RULE="FORWARD ${POS} -i virbr+ ! -o lo -j DROP"

iptables ${OP} ${RULE}