This is the current work-around we have installed into /etc/network/if-pre-up.d/iptables:
/sbin/iptables-restore <<EOF
# Generated by iptables-save v1.4.8
*filter
:INPUT ACCEPT [318:33352]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [466:71238]
-A INPUT -s ${VM_NET}/28 -d ${VM_HOST}/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s ${VM_NET}/28 -d ${VM_HOST}/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d ${VM_HOST}/32 -p udp -m udp --dport 53 -j DROP
-A INPUT -d ${VM_HOST}/32 -p tcp -m tcp --dport 53 -j DROP
COMMIT
EOF
${VM_NET}/28 - is our subnet of IPs used by hosted VMs
${VM_HOST}/32 - is the public IP of the host
--
Alex, homepage: http://www.bennee.com/~alex/
An alcoholic is someone you don't like who drinks as much as you do.
-- Dylan Thomas
signature.asc
Description: Digital signature
