In 1.x i had an iptables rules on the host machine to filter incoming and outgoing connections to my containers and kvm guests via the FORWARD table. But after 2.x upgrade this scheme is not working anymore. even if i just write i add default action to DROP in the FORWARD table, it still allows the connections.

How can i filter all the connections from the host now? do i really have to set up iptables on every single guest os?