network defined creates iptables and ip6tables rules

ip6tables

# Generated by ip6tables-save v1.4.12 on Sat Nov 30 11:46:47 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:288]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:4f8:150:5024::10:0/112 -o virbr0 -j ACCEPT
-A FORWARD -s 2a01:4f8:150:5024::10:0/112 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Sat Nov 30 11:46:47 2013

iptables

# Generated by iptables-save v1.4.12 on Sat Nov 30 11:28:42 2013
*nat
:PREROUTING ACCEPT [5718:383814]
:INPUT ACCEPT [113:5653]
:OUTPUT ACCEPT [5189:358109]
:POSTROUTING ACCEPT [5636:384673]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Nov 30 11:28:42 2013
# Generated by iptables-save v1.4.12 on Sat Nov 30 11:28:42 2013
*mangle
:PREROUTING ACCEPT [58728:28499689]
:INPUT ACCEPT [52484:28087378]
:FORWARD ACCEPT [4306:304526]
:OUTPUT ACCEPT [54969:21185335]
:POSTROUTING ACCEPT [56175:21254623]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Nov 30 11:28:42 2013
# Generated by iptables-save v1.4.12 on Sat Nov 30 11:28:42 2013
*filter
:INPUT ACCEPT [205:12568]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [194:80925]
:fail2ban-ssh - [0:0]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 177.220.140.10/32 -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sat Nov 30 11:28:42 2013

pxe.xml

<network>
  <name>pxe</name>
  <uuid>a0d88993-304b-4dc0-54fb-196dafe1f700</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0' />
  <mac address='52:54:00:9B:F2:FF'/>
  <ip address='192.168.122.1' prefix='24'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254' />
      <bootp file='pxelinux.0' />
    </dhcp>
  </ip>
  <ip family='ipv6' address='2a01:4f8:150:5024::10:1' prefix='112'>
  </ip>
</network>