> maybe could we add > > -A vmbrX-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN > > at the beginning of vmbrX-OUT ? Sorry, I don't get that. What problem does that solve? I thought you want to enable ips per VM?