The brctl command (from bridge-utils) is an easier dependency than
requiring users to setup the bridge themselves.  Following [1].

[1]: https://docs.docker.com/articles/networking/#bridge-building

One 'ip link set' call can set all the values we need; there's no need
for a separate call for each value.

I've shifted the veth1 call to after the route and address, to avoid
putting it up before it's fully configured.  We have to add the route
after putting veth1 up though, to avoid:

  RTNETLINK answers: Network is unreachable

One less step for the user to handle on their own.  We might want to
log this change, since it has the potential to create unwanted
side-effects if the user has a permissive firewall.

If procps (from which we get sysctl) is too burdensome a dependency,
we could use:

  echo 1 > /proc/sys/net/ipv4/ip_forward

Based on [1].  With ACCEPT policies for INPUT, FORWARD, and OUTPUT in
the filter table, and PREROUTING, INPUT, OUTPUT, and POSTROUTING in
the nat table, this MASQUERADE jump is all we need.

With those permissive rules, external hosts can access the containers
by adding a route like:

  # ip route add 10.0.0.0/24 via 192.168.0.2

where 192.168.0.2 is the IP address of the Bocker host.

For more restrictive networking, you could be harsher with FORWARD on
the Bocker host and use:

  # iptables -t nat -A PREROUTING ! -i bridge0 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80
  # iptables -I FORWARD -d 10.0.0.3 -p tcp --dport 80 -j ACCEPT

to forward the Bocker host's port 80 to the 10.0.0.3 container's port
80.

[1]: https://github.com/gdm85/docker-fw/blob/d9cee19989ead67e6107740869ba9c13d4ff6096/example-iptables.txt