嵌套 KVM 上的 iptables 似乎正在丢弃返回流量

我正在尝试让嵌套的 KVM 在 Google Cloud 中运行，但在 Centos 7 丢弃通过 IP 表返回的流量时遇到了问题。

Centos 7 形成了一个虚拟路由器 (VR)，它位于 KVM 中的设备组的最前面。云上运行的操作系统是 Ubuntu 18（我也尝试过 16 和 20 - 结果相同）。我在 br0（在 Ubuntu 上）上的 IP 地址是 172.30.7.1，Centos VR 上出站接口上的 IP 地址是 172.30.7.100。Centos VR 后面的设备正在向服务器发出请求并得到响应。前几个数据包可以正常通过，但有些数据包被丢弃了。我不知道为什么，但这会导致服务器重新传输，但这些数据包都无法到达设备。

以下是我从服务器返回的 VR 上看到的内容：

06:05:32.671293 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [S.], seq 3432102555, ack 164728512, win 65535, options [mss 1430,sackOK,TS val 3630073863 ecr 5296823,nop,wscale 8], length 0
06:05:32.671308 IP 34.84.96.34.bc.googleusercontent.com.https > device.38298: Flags [S.], seq 3432102555, ack 164728512, win 65535, options [mss 1430,sackOK,TS val 3630073863 ecr 5296823,nop,wscale 8], length 0
06:05:32.672567 IP localhost.localdomain.38298 > 34.84.96.34.bc.googleusercontent.com.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 5296826 ecr 3630073863], length 0
06:05:32.673732 IP device.38298 > 34.84.96.34.bc.googleusercontent.com.https: Flags [P.], seq 1:235, ack 1, win 229, options [nop,nop,TS val 5296827 ecr 3630073863], length 234
06:05:32.673745 IP localhost.localdomain.38298 > 34.84.96.34.bc.googleusercontent.com.https: Flags [P.], seq 1:235, ack 1, win 229, options [nop,nop,TS val 5296827 ecr 3630073863], length 234
06:05:32.675099 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], ack 235, win 261, options [nop,nop,TS val 3630073867 ecr 5296827], length 0
06:05:32.675111 IP 34.84.96.34.bc.googleusercontent.com.https > device.38298: Flags [.], ack 235, win 261, options [nop,nop,TS val 3630073867 ecr 5296827], length 0
06:05:32.676296 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1:1409, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 1408
06:05:32.676307 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1409:1419, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 10
06:05:32.676312 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1419:2827, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 1408
06:05:32.676317 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 2827:2837, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 10
06:05:32.676319 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 2837:4245, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 1408
06:05:32.676325 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 4245:4255, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 10
06:05:32.676330 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 4255:5663, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 1408
06:05:32.676332 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [P.], seq 5663:5672, ack 235, win 261, options [nop,nop,TS val 3630073868 ecr 5296827], length 9
06:05:32.684887 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 4255:5663, ack 235, win 261, options [nop,nop,TS val 3630073877 ecr 5296827], length 1408
06:05:32.684906 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [P.], seq 5663:5672, ack 235, win 261, options [nop,nop,TS val 3630073877 ecr 5296827], length 9
06:05:32.892016 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1:1409, ack 235, win 261, options [nop,nop,TS val 3630074084 ecr 5296827], length 1408
06:05:32.892051 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1409:1419, ack 235, win 261, options [nop,nop,TS val 3630074084 ecr 5296827], length 10
06:05:33.299979 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1:1409, ack 235, win 261, options [nop,nop,TS val 3630074492 ecr 5296827], length 1408
06:05:33.300007 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1409:1419, ack 235, win 261, options [nop,nop,TS val 3630074492 ecr 5296827], length 10
06:05:34.147973 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1:1409, ack 235, win 261, options [nop,nop,TS val 3630075340 ecr 5296827], length 1408
06:05:34.147996 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1409:1419, ack 235, win 261, options [nop,nop,TS val 3630075340 ecr 5296827], length 10
06:05:35.811929 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1:1409, ack 235, win 261, options [nop,nop,TS val 3630077004 ecr 5296827], length 1408
06:05:35.811963 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1409:1419, ack 235, win 261, options [nop,nop,TS val 3630077004 ecr 5296827], length 10
06:05:37.962059 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38272: Flags [.], seq 1:1409, ack 236, win 261, options [nop,nop,TS val 1904087777 ecr 5295821], length 1408
06:05:37.962098 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38272: Flags [.], seq 1409:1419, ack 236, win 261, options [nop,nop,TS val 1904087777 ecr 5295821], length 10
06:05:39.076057 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1:1409, ack 235, win 261, options [nop,nop,TS val 3630080268 ecr 5296827], length 1408
06:05:39.076091 IP 34.84.96.34.bc.googleusercontent.com.https > localhost.localdomain.38298: Flags [.], seq 1409:1419, ack 235, win 261, options [nop,nop,TS val 3630080268 ecr 5296827], length 10

我不知道接下来该怎么办。我尝试将 KVM 运行的 Ubuntu 实例更改为版本 16 和版本 20，但没有任何变化。我还尝试将 CentOS 7 实例更改为 Ubuntu 映像，但它显示了相同的行为。

欢迎任何建议。