diff --git a/network/30-qubes-external-ip b/network/30-qubes-external-ip
index 3dd5ec1..283359f 100755
--- a/network/30-qubes-external-ip
+++ b/network/30-qubes-external-ip
@@ -1,8 +1,8 @@
 #!/bin/sh
-if [ x$2 = xup ]; then
-	INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
+if [ "x$2" = xup ]; then
+	INET=$(/sbin/ip addr show dev "$1" | /bin/grep inet)
 	qubesdb-write /qubes-netvm-external-ip "$INET"
 fi
-if [ x$2 = xdown ]; then
+if [ "x$2" = xdown ]; then
 	qubesdb-write /qubes-netvm-external-ip ""
 fi
diff --git a/network/iptables-updates-proxy b/network/iptables-updates-proxy
index 3bddd5c..5bda776 100755
--- a/network/iptables-updates-proxy
+++ b/network/iptables-updates-proxy
@@ -14,7 +14,9 @@ COMMIT
 __EOF__
 else
     # Remove rules
+    # shellcheck disable=SC2086
     iptables -D $RULE_FILTER
+    # shellcheck disable=SC2086
     iptables -t nat -D $RULE_NAT
     exit 0
 fi
diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir
index bb27413..d56b996 100755
--- a/network/network-manager-prepare-conf-dir
+++ b/network/network-manager-prepare-conf-dir
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 NM_CONFIG_DIR=/etc/NetworkManager/system-connections
-if [ -d $NM_CONFIG_DIR -a ! -h $NM_CONFIG_DIR ]; then
+if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then
     mkdir -p /rw/config/NM-system-connections
     mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
     rmdir $NM_CONFIG_DIR
diff --git a/network/qubes-fix-nm-conf.sh b/network/qubes-fix-nm-conf.sh
index 9f1eca7..c952fe3 100755
--- a/network/qubes-fix-nm-conf.sh
+++ b/network/qubes-fix-nm-conf.sh
@@ -1,19 +1,19 @@
 #!/bin/sh
 FILE=/etc/NetworkManager/NetworkManager.conf
 VIFMAC=mac:fe:ff:ff:ff:ff:ff
-if ! grep -q ^plugins.*keyfile $FILE ; then
+if ! grep -q '^plugins.*keyfile' $FILE ; then
 	sed -i 's/^plugins.*$/&,keyfile/' $FILE
 fi
-if grep -q ^plugins.*ifcfg-rh $FILE ; then
+if grep -q '^plugins.*ifcfg-rh' $FILE ; then
 	sed -i 's/^plugins=\(.*\)ifcfg-rh,\(.*\)$/plugins=\1\2/' $FILE
 fi
 if ! grep -q '^\[keyfile\]$' $FILE ; then
 	echo '[keyfile]' >> $FILE
 fi
-if ! grep -q ^unmanaged-devices $FILE ; then
+if ! grep -q '^unmanaged-devices' $FILE ; then
 	sed -i 's/^\[keyfile\]$/\[keyfile\]\x0aunmanaged-devices='$VIFMAC/ $FILE
 fi
-if ! grep -q ^unmanaged-devices.*$VIFMAC $FILE ; then
+if ! grep -q "^unmanaged-devices.*$VIFMAC" $FILE ; then
 	sed -i 's/^unmanaged-devices.*$/&,'$VIFMAC/ $FILE
 fi
 exit 0
diff --git a/network/qubes-iptables b/network/qubes-iptables
index 7badb7d..08e4a62 100755
--- a/network/qubes-iptables
+++ b/network/qubes-iptables
@@ -35,8 +35,9 @@ start() {
 
     echo -n $"${CMD}: Applying firewall rules: "
 
-    $CMD-restore $IPTABLES_DATA
-    if [ $? -eq 0 ]; then
+    "$CMD-restore" "$IPTABLES_DATA"
+    ret="$?"
+    if [ "$ret" -eq 0 ]; then
         echo OK
     else
         echo FAIL; return 1
diff --git a/network/qubes-nmhook b/network/qubes-nmhook
index 0bd1736..1832dc1 100755
--- a/network/qubes-nmhook
+++ b/network/qubes-nmhook
@@ -1,6 +1,7 @@
 #!/bin/sh
 
 # Source Qubes library.
+# shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 
 /usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/network/qubes-setup-dnat-to-ns b/network/qubes-setup-dnat-to-ns
index 68f87ea..fe1295e 100755
--- a/network/qubes-setup-dnat-to-ns
+++ b/network/qubes-setup-dnat-to-ns
@@ -1,7 +1,7 @@
 #!/bin/sh
 addrule()
 {
-        if [ $FIRSTONE = yes ] ; then
+        if [ "$FIRSTONE" = yes ] ; then
                 FIRSTONE=no
                 RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1
 -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $1"
@@ -10,17 +10,18 @@ addrule()
         else
                 RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
 -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
-                NS=$NS2
         fi
 }
 export PATH=$PATH:/sbin:/bin
+# shellcheck disable=SC1091
 . /var/run/qubes/qubes-ns
-if [ "X"$NS1 = "X" ] ; then exit ; fi
+if [ "X$NS1" = "X" ] ; then exit ; fi
 iptables -t nat -F PR-QBS
 FIRSTONE=yes
 grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 |
         (
-        while read x y z ; do
+        # shellcheck disable=SC2034
+        while read -r x y z ; do
                 addrule "$y"
         done
         (echo "*nat"; echo "$RULE1"; echo "$RULE2"; echo COMMIT) | iptables-restore -n
diff --git a/network/setup-ip b/network/setup-ip
index 9b0d66d..5f4aae0 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -1,27 +1,28 @@
 #!/bin/sh
 
 # Source Qubes library.
+# shellcheck disable=SC1091
 . /usr/lib/qubes/init/functions
 
 have_qubesdb || exit 0
 
-ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null`
-if [ x$ip != x ]; then
-    netmask=`/usr/bin/qubesdb-read /qubes-netmask`
-    gateway=`/usr/bin/qubesdb-read /qubes-gateway`
-    primary_dns=`/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo $gateway`
-    secondary_dns=`/usr/bin/qubesdb-read /qubes-secondary-dns`
-    /sbin/ethtool -K $INTERFACE sg off
-    /sbin/ethtool -K $INTERFACE tx off
+ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)
+if [ "x$ip" != x ]; then
+    #netmask=$(/usr/bin/qubesdb-read /qubes-netmask)
+    gateway=$(/usr/bin/qubesdb-read /qubes-gateway)
+    primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway")
+    secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns)
+    /sbin/ethtool -K "$INTERFACE" sg off
+    /sbin/ethtool -K "$INTERFACE" tx off
     # If NetworkManager is enabled, let it configure the network
     if qsvc network-manager ; then
         nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
-        cat > $nm_config <<__EOF__
+        cat > "$nm_config" <<__EOF__
 [802-3-ethernet]
 duplex=full
 
 [ethernet]
-mac-address=`ip l show dev $INTERFACE |grep link|awk '{print $2}'`
+mac-address=$(ip l show dev "$INTERFACE" |grep link|awk '{print $2}')
 
 [connection]
 id=VM uplink $INTERFACE
@@ -36,23 +37,23 @@ method=manual
 may-fail=false
 __EOF__
         if ! qsvc disable-dns-server ; then
-            echo "dns=$primary_dns;$secondary_dns" >> $nm_config
+            echo "dns=$primary_dns;$secondary_dns" >> "$nm_config"
         fi
         if ! qsvc disable-default-route ; then
-            echo "addresses1=$ip;32;$gateway" >> $nm_config
+            echo "addresses1=$ip;32;$gateway" >> "$nm_config"
         else
-            echo "addresses1=$ip;32" >> $nm_config
+            echo "addresses1=$ip;32" >> "$nm_config"
         fi
-        chmod 600 $nm_config
+        chmod 600 "$nm_config"
         # reload connection
-        nmcli connection load $nm_config || :
+        nmcli connection load "$nm_config" || :
     else
         # No NetworkManager enabled, configure the network manually
-        /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
-        /sbin/ifconfig $INTERFACE up
-        /sbin/route add -host $gateway dev $INTERFACE
+        /sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255
+        /sbin/ifconfig "$INTERFACE" up
+        /sbin/route add -host "$gateway" dev "$INTERFACE"
         if ! qsvc disable-default-route ; then
-            /sbin/route add default gw $gateway
+            /sbin/route add default gw "$gateway"
         fi
         if ! is_protected_file /etc/resolv.conf ; then
             echo > /etc/resolv.conf
@@ -65,8 +66,8 @@ __EOF__
     network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
     if [ "x$network" != "x" ] && ! qsvc disable-dns-server ; then
         gateway=$(qubesdb-read /qubes-netvm-gateway)
-        netmask=$(qubesdb-read /qubes-netvm-netmask)
-        primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo $gateway)
+        #netmask=$(qubesdb-read /qubes-netvm-netmask)
+        primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
         secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
         echo "NS1=$primary_dns" > /var/run/qubes/qubes-ns
         echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
diff --git a/network/show-hide-nm-applet.sh b/network/show-hide-nm-applet.sh
index 40b2233..c1fc687 100644
--- a/network/show-hide-nm-applet.sh
+++ b/network/show-hide-nm-applet.sh
@@ -1,8 +1,9 @@
 #!/bin/sh
 
-type nm-applet > /dev/null 2>&1 || exit 0
+command -v nm-applet > /dev/null 2>&1 || exit 0
 
 # Source Qubes library.
+# shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 
 # Hide nm-applet when network-manager is disabled
diff --git a/network/update-proxy-configs b/network/update-proxy-configs
index c5c7e50..9d067c4 100755
--- a/network/update-proxy-configs
+++ b/network/update-proxy-configs
@@ -22,6 +22,7 @@
 #
 
 # Source Qubes library.
+# shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 
 BEGIN_MARKER="### QUBES BEGIN ###"
@@ -37,24 +38,25 @@ update_conf() {
     local CONF_OPTIONS="$2"
 
     # Ensure that Qubes conf markers are present in the file
-    if ! grep -q "$BEGIN_MARKER" $CONF_PATH; then
-        if grep -q "$END_MARKER" $CONF_PATH; then
+    if ! grep -q "$BEGIN_MARKER" "$CONF_PATH"; then
+        if grep -q "$END_MARKER" "$CONF_PATH"; then
             echo "ERROR: found QUBES END marker but not QUBES BEGIN in ${CONF_PATH}" >&2
             echo "Fix the file by either removing both of them, or adding missing back and retry" >&2
             exit 1
         fi
-        cp $CONF_PATH ${CONF_PATH}.qubes-orig
-        echo "$BEGIN_MARKER" >> $CONF_PATH
-        echo "$END_MARKER" >> $CONF_PATH
-    elif ! grep -q "$END_MARKER" $CONF_PATH; then
+        cp "$CONF_PATH" "${CONF_PATH}.qubes-orig"
+        echo "$BEGIN_MARKER" >> "$CONF_PATH"
+        echo "$END_MARKER" >> "$CONF_PATH"
+    elif ! grep -q "$END_MARKER" "$CONF_PATH"; then
         echo "ERROR: found QUBES BEGIN marker but not QUBES END in ${CONF_PATH}" >&2
         echo "Fix the file by either removing both of them, or adding missing back and retry" >&2
         exit 1
     fi
 
     # Prepare config block
-    local tmpfile=`mktemp`
-    cat > ${tmpfile} <<EOF
+    local tmpfile
+    tmpfile=$(mktemp)
+    cat > "${tmpfile}" <<EOF
 # This part of configuration, until QUBES END, is automatically generated by
 # $0. All changes here will be overriden.
 # If you want to override any option set here, set it again to desired value,
@@ -67,8 +69,8 @@ EOF
         /^$END_MARKER$/b
         /^$BEGIN_MARKER$/!d
         r ${tmpfile}
-        }" ${CONF_PATH}
-    rm -f ${tmpfile}
+        }" "${CONF_PATH}"
+    rm -f "${tmpfile}"
 }
 
 ### helper functions end
diff --git a/network/vif-qubes-nat.sh b/network/vif-qubes-nat.sh
index 7a0a620..9833e45 100755
--- a/network/vif-qubes-nat.sh
+++ b/network/vif-qubes-nat.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# shellcheck disable=SC2154
 #set -x
 
 undetectable_netvm_ips=
diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 1dc80ca..6412b99 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -21,46 +21,51 @@
 #============================================================================
 
 dir=$(dirname "$0")
+# shellcheck disable=SC1091,SC1090
 . "$dir/vif-common.sh"
 
 #main_ip=$(dom0_ip)
 lockfile=/var/run/xen-hotplug/vif-lock
 
+# shellcheck disable=SC2154
 if [ "${ip}" ]; then
     # IPs as seen by this VM
     netvm_ip="$ip"
-    netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
-    netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
-    netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
+    netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
+    netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
+    netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
 
     back_ip="$netvm_gw_ip"
 
     # IPs as seen by the VM - if other than $netvm_ip
-    appvm_gw_ip="`qubesdb-read /mapped-ip/$ip/visible-gateway 2>/dev/null || :`"
-    appvm_ip="`qubesdb-read /mapped-ip/$ip/visible-ip 2>/dev/null || :`"
+    appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip/visible-gateway" 2>/dev/null || :)"
+    appvm_ip="$(qubesdb-read "/mapped-ip/$ip/visible-ip" 2>/dev/null || :)"
 fi
 
 # Apply NAT if IP visible from the VM is different than the "real" one
 # See vif-qubes-nat.sh for details
-if [ -n "$appvm_ip" -a -n "$appvm_gw_ip" -a "$appvm_ip" != "$netvm_ip" ]; then
+if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]; then
+    # shellcheck disable=SC2154
     if test "$command" == online; then
-        echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
+        # shellcheck disable=SC2154
+        echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
     fi
 
+    # shellcheck source=network/vif-qubes-nat.sh
     . "$dir/vif-qubes-nat.sh"
 fi
 
-
+# shellcheck disable=SC2154
 case "$command" in
 	online)
-		ifconfig ${vif} up
-		echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
+		ifconfig "${vif}" up
+		echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
 		ipcmd='add'
 		iptables_cmd='-I PREROUTING 1'
 		cmdprefix=''
 		;;
 	offline)
-		do_without_error ifdown ${vif}
+		do_without_error ifdown "${vif}"
 		ipcmd='del'
 		iptables_cmd='-D PREROUTING'
 		cmdprefix='do_without_error'
@@ -71,23 +76,23 @@ domid=${vif/vif/}
 domid=${domid/.*/}
 # metric must be possitive, but prefer later interface
 #  32752 is max XID aka domid
-metric=$[ 32752 - $domid ]
+metric=$(( 32752 - domid ))
 
 if [ "${ip}" ] ; then
 	# If we've been given a list of IP addresses, then add routes from dom0 to
 	# the guest using those addresses.
 	for addr in ${ip} ; do
-		${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
+		${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
 	done
 	echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
 		${cmdprefix} flock $lockfile iptables-restore --noflush
-	${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
+	${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
 fi
 
 log debug "Successful vif-route-qubes $command for $vif."
 if [ "$command" = "online" ]
 then
   # disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
-  do_without_error ethtool -K $vif tx off
+  do_without_error ethtool -K "$vif" tx off
   success
 fi