<p>Using physdev seems to make it work:</p>
<pre><code>#!/bin/bash
# clean rules
iptables -F
iptables -X
#default rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# block input and output bridge (might need physdev on these too?)
iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I INPUT -i br0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT
iptables -I OUTPUT -o br0 -j REJECT
# drop invalid
iptables -I FORWARD -m state --state INVALID -j DROP
# allow outgoing
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
## allow an incoming service
# http
iptables -A FORWARD -p tcp -m physdev --physdev-in eth1 --physdev-out eth0 -d <server ip> --dport 80 -j ACCEPT
# drop everything else
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT
</code></pre>
<p>Many thanks to SuperJediWombat! and TimothyEBaldwin on linuxquestions.org forum!</p>
