Please set

/etc/sysctl
net.bridge.bridge-nf-call-iptables = 1

to make this work
