Port Forwarding can be performed with IPTables to an instance from a Linux host.
FORWARD Chain
When adding an IPTables port forward, but sure to use the -I (capital i) to insert the rule. In the examples below, the rules are inserted at position 1 in the forward chain. Each time a rule is added, it just pushes the next ones down. The Insert chain is needed because the default is to insert Forward rules at the end of the Forward chain.
Forward Port 443 to Ubuntu multipass instance
sudo iptables -t nat -I PREROUTING 1 -i wlp1s0 -p tcp --dport 443 -j DNAT --to-destination 10.219.36.119:443
sudo iptables -I FORWARD 1 -p tcp -d 10.219.36.119 --dport 443 -j ACCEPT
Forward Port 3389 to Ubuntu multipass instance
sudo iptables -t nat -I PREROUTING 1 -i wlp1s0 -p tcp --dport 3389 -j DNAT --to-destination 10.219.36.120:3389
sudo iptables -I FORWARD 1 -p tcp -d 10.219.36.120 --dport 3389 -j ACCEPT
Those will be pushed to beginning of the Forward chain (Notice how port 80 rule was pushed down since 3389 was inserted at line 1):
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 10.219.36.120 tcp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 10.219.36.119 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */
ACCEPT all -- 10.219.36.0/24 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */
ACCEPT all -- 0.0.0.0/0 10.219.36.0/24 ctstate RELATED,ESTABLISHED /* generated for Multipass network mpqemubr0 */
REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
and the PREROUTING rules will be added to the NAT table:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:10.219.36.120:3389
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.219.36.119:80
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.219.36.0/24 !10.219.36.0/24 /* generated for Multipass network mpqemubr0 */
MASQUERADE udp -- 10.219.36.0/24 !10.219.36.0/24 /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
MASQUERADE tcp -- 10.219.36.0/24 !10.219.36.0/24 /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
RETURN all -- 10.219.36.0/24 255.255.255.255 /* generated for Multipass network mpqemubr0 */
RETURN all -- 10.219.36.0/24 224.0.0.0/24 /* generated for Multipass network mpqemubr0 */
-duane