The summary is packets forwarded between the bridged interfaces also go through iptables, therefore potentially creating connection-tracking states before it gets to the NAT-enabled outbound interface. Then later, when the packet is routed to the NAT-enabled outbound interface, the NAT table will not be consulted anymore because the conn-track entry already exists for that packet.
The two possible solutions:
- echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables #To disable Iptables in the bridge.
- Raw table: This table can be used to avoid packets (connection really) to enter the NAT table: iptables -t raw -I PREROUTING -i BRIDGE -s x.x.x.x -j NOTRACK.