Comment 6 for bug 746497

Looking at http://libvirt.org/formatnetwork.html#examplesRoute, I suspect this is viewed as a feature, since, if you did have some existing firewall rules, this would punch the needed holes through that to let the VMs work as expected. Agreed it wouldn't hurt to make that more configurable. However that would require a patch to be developed upstream.

You should be able to work around this by editing /etc/init/libvirt-bin.conf, and adding

post-start exec iptables -F