This is a research paper by Muhammad Kamran Azeem, which discusses the behaviour of IPTables rules, as seen on a XEN or KVM (physical) host. The problem and the solutions are discussed in depth. The article is available in HTML and PDF formats. A CBT has also been created to explain the problem and the solutions suggested in this paper. An extract from the paper is copied below.

… In this paper, we will explain that it is not XEN, which is over-writing/modifying the iptables rules. It is actually “libvirt” which is doing so. And so far, by the time of this writing, there is no solution for it. It is a known bug and still in the OPEN/ASSIGNED state at redhat and fedora bugzilla websites…