Assuming a bridged ethernet called br0, I've added the following rules:
iptables -I FORWARD -i br0 -o br0 \This will allow UDP, TCP, and ICMP initiated from the physical network to be routed to VMs attached to the br0 bridge.
-m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i br0 -o br0 \
-m state --state NEW -j ACCEPT
This configuration is that it route all traffic, which some might consider bad form. If the KVM host only ran a fixed set of VMs, it might be wise to lock down specific ports. In a dynamic environment (like my lab) the level of effort to support IPtables on the host exceeds the risk, as the VMs are all running IPtables themselves.