I am having a couple of iptables issues with this type of setup myself. The RH manual says to insert a rule into the FORWARD chain like this:

-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

However, for the host does this not mean that every packet is accepted. As far as I can discern from the documentation, when one sets up a physically bridged network on a kvm host then every packet arrives across the bridge interface and, insofar as the host is concerned, anything that it does not orginate itself is forwarded.

I may be wrong on this, but the behaviour of my ssh filters since putting that command in the FORWARD chain indicates that something along those lines is occurring. The i/f eth0 seems to have no relevence to iptables rules for the host instance.