Comment 4 for bug 573461

Hmm I had a similar issue but came to a different conclusion.

I had done a libvirt + ufw lucid install and had some vms working -- traffic from vms to the outside world and replies would work, traffic between vms would work etc. Basically things worked fine.

Then I wanted to map a host port to a vm port, that is, I wanted connections from the host on port xyz to go to a VM on port 22 so that I could SSH in to a VM from the Internet despite the libvirt nating on virbr0. I followed the instructions from the ufw-framework man page about Port Redirections, which call for editing the ufw-before-forward rules.

Unfortunately, this wouldn't work and I discovered that the FORWARD rules were something like:
ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
ACCEPT all -- virbr0 virbr0 anywhere anywhere
REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
ufw-before-logging-forward all -- any any anywhere anywhere
ufw-before-forward all -- any any anywhere anywhere

With these "sanity checks" rules at the very top, to ensure that traffic for 192.168.122.0/24 doesn't come from anywhere else than virbr0. Obviously in my NAT-ing case, this wouldn't be true since the traffic came from eth0 for the host IP but was NATed to the vm's IP.

I moved the ufw-before-logging-forward and ufw-before-forward calls manually before the virbr0 rules, and things worked!

It would seem to me that the issue is with libvirt generated rules which are inserted before the ufw one. This might depend on boot order.