libvirt and network filtering with nat - iptables overrides
Solution 1:
You can create your own NAT network instead which means libvirt won't add any firewall rules. See the Custom NAT-based Network on this libvirt Networking Handbook.
Solution 2:
I feel your pain. I really wish libvirt supported this better.
Create a script that applies the port forwarding firewall rules on your guest. Be sure to use iptables -I
so that your rules are inserted before libvirt's REJECT rule.
You need to use hooks to run that script each time libvirt starts or is reloaded.
Also, you should make sure that the rules for libvirt and your port forwarding aren't saved in /etc/sysconfig/iptables. Let libvirt and your hook set those up.