Even with bridged networking, a KVM (libvirtd) guest can't be reached from the network (except by the KVM host machine). The two ways to deal with this on a Debian or Debian derived (e.g. Ubuntu) system are as follows:
This solution provides minimal access to bridged guests. It does not disable netfilter on the bridge. It does require the guest to have a static IP address, as it won't be able to receive one from the local network.
Modify /etc/ufw/before.rules to add a FORWARD rule with the guest's IP address:
# allow all traffic to 10.1.0.81
-A FORWARD -d 10.1.0.81 -j ACCEPT
-A FORWARD -s 10.1.0.81 -j ACCEPT
Then reload the firewall:
$ sudo ufw reload
This is the most common approach. Most servers will have a host bridge as their primary interface, and disabling netfilter through that bridge will allow guests to be reached from the local network. It will allow bridged guests to act as DHCP clients on the local network.
Load br_netfilter:
$ sudo modprobe br_netfilter
Create /etc/modules-load.d/br_netfilter.conf:
$ sudo echo "br_netfilter" > /etc/modules-load.d/br_netfilter.conf
Create/etc/sysctl.d/10-bridge.conf:
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-arptables=0
Update running config:
$ sudo sysctl -p /etc/sysctl.d/10-bridge.conf
Verify:
$ sudo sysctl -a | grep "bridge-nf-call"
This solution has the advantage of allowing bridged guests to recieve addresses over DHCP from a provider such as your router or a local network server.
Thank you!. Second solution worked for me (on Ubuntu 22.04), first not.