[Unit]
Description="Enable NAT on nspawn bridge due to Debian bug #787480."
Requires=systemd-networkd
After=systemd-networkd
After=ufw

[Service]
Type=oneshot
RemainAfterExit=yes
Environment=network="192.168.123.0/24"
ExecStart=/sbin/iptables -w -t nat -A POSTROUTING -s "$network" ! -d "$network" -j MASQUERADE
ExecStop=/sbin/iptables -w -t nat -D POSTROUTING -s "$network" ! -d "$network" -j MASQUERADE

[Install]
WantedBy=network.target