libvirt users - Apr 2014 - Forwarding incoming connections from an secondary external interface with dhcp

Hi everyone,

I have a server (ubuntu 14.04 lts) running KVM with a few guests (each 
with static IP addresses) which I manage using libvirt.  This machine 
has a wired interface (br0 / p2p1) connecting to my internal network and 
a wireless interface using dhcp (ppp0) as a secondary direct connection 
to the internet.

My goal is route all administration traffic for both the host and guests 
through the wired interface (br0); while routing the service traffic, 
and _only_ this traffic, through the ppp0 interface.

For example: One vm is a webserver and I wish to route all traffic on 
ports 80 & 443 from ppp0 to that vm. Another vm is a mailserver and I 
wish to route all the imap & pop traffic from ppp0 to that vm.  At the 
same time, I wish to be able to ssh in through the wired interface 
(p2p1) and route all system maintenance traffic through the wired 
interface as well.  Additionally I wish to drop/reject incoming traffic 
on ppp0 which is not on these specified ports.

Reading the libvirt documentation, I have found a section which very 
nearly describes my needs:

http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

Unfortunately, I am unsure how to correcting modify the given examples 
to meet my specific needs.  To begin with, the examples assume a static 
external IP, while mine is dynamic.

I think I would like to refer to interface by name (ppp0) or perhaps 
create a secondary bridge (br1) with a static IP, the ppp0 included with 
"bridge_prts ppp0" command, and then refer to the static IP of the new
bridge (br1).

Next, I don't see the correct mechanism which I could configure such 
that all traffic coming in ppp0 which was not on the specified ports is 
rejected/dropped and all administrative traffic, originating from both 
the host and guests, is routed through the wired interface.  I am 
assuming that this also should be done through libvirt/virsh and not 
directly through iptables.

If it matters, the wired interface connects to a router running 
shorewall (and thus the server is in the "dmz" zone).  The server
itself
is not running shorewall or any other similar things.  The router is 
managing the primary connection to internet, which is distinct from the 
secondary wireless interface on the server, it is connecting to a 
different ISP.

If anyone could give me some advice or point me to some additional or 
more relevant documentation/examples I would really, really appreciate it.

Thanks!