#!/bin/bash

ip6tables -t nat -D PREROUTING -j IP6NAT-I 2>/dev/null || true
ip6tables -t nat -N IP6NAT-I 2>/dev/null || true
ip6tables -t nat -I PREROUTING -j IP6NAT-I || true

ip6tables -t nat -D POSTROUTING -j IP6NAT-O 2>/dev/null || true
ip6tables -t nat -N IP6NAT-O 2>/dev/null || true
ip6tables -t nat -I POSTROUTING -j IP6NAT-O || true

ip6tables -t nat -F IP6NAT-I
ip6tables -t nat -F IP6NAT-O

PREFIX=2603:300b:768:b000:9
IFACE=enp2s0f0
CONT=lxcbr0

ADDRS="\
4::1/4 \
4::14c/4 \
12::1/12 \
10::1/10 \
11::1/11 \
13::1/13 \
"

# All external access to containers must be granted to both the LAN and WAN interface.
for J in $ADDRS; do
 SRC=$PREFIX:`echo $J | cut -d/ -f1`
 DST=fd10:3::`echo $J | cut -d/ -f2`
 echo "$SRC -> $DST"
 ip -6 addr replace $SRC/128 dev $IFACE preferred_lft forever
 ip6tables -t nat -A IP6NAT-I -i $IFACE -d $SRC -j DNAT --to $DST
 ip6tables -t nat -A IP6NAT-O -o $IFACE -s $DST -j SNAT --to $SRC
done
ip6tables -t nat -D POSTROUTING -o $IFACE -s fc00::/7 -j MASQUERADE 2>/dev/null || true
ip6tables -t nat -A POSTROUTING -o $IFACE -s fc00::/7 -j MASQUERADE