Multipass Port Forwarding with IPTables

Port Forwarding can be performed with IPTables to an instance from a Linux host.

FORWARD Chain
When adding an IPTables port forward, but sure to use the -I (capital i) to insert the rule. In the examples below, the rules are inserted at position 1 in the forward chain. Each time a rule is added, it just pushes the next ones down. The Insert chain is needed because the default is to insert Forward rules at the end of the Forward chain.

Forward Port 443 to Ubuntu multipass instance
sudo iptables -t nat -I PREROUTING 1 -i wlp1s0 -p tcp --dport 443 -j DNAT --to-destination 10.219.36.119:443
sudo iptables -I FORWARD 1 -p tcp -d 10.219.36.119 --dport 443 -j ACCEPT

Forward Port 3389 to Ubuntu multipass instance
sudo iptables -t nat -I PREROUTING 1 -i wlp1s0 -p tcp --dport 3389 -j DNAT --to-destination 10.219.36.120:3389
sudo iptables -I FORWARD 1 -p tcp -d 10.219.36.120 --dport 3389 -j ACCEPT

Those will be pushed to beginning of the Forward chain (Notice how port 80 rule was pushed down since 3389 was inserted at line 1):

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.219.36.120        tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.219.36.119        tcp dpt:80 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            /* generated for Multipass network mpqemubr0 */
ACCEPT     all  --  10.219.36.0/24       0.0.0.0/0            /* generated for Multipass network mpqemubr0 */
ACCEPT     all  --  0.0.0.0/0            10.219.36.0/24       ctstate RELATED,ESTABLISHED /* generated for Multipass network mpqemubr0 */
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable

and the PREROUTING rules will be added to the NAT table:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 to:10.219.36.120:3389
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.219.36.119:80

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.219.36.0/24      !10.219.36.0/24       /* generated for Multipass network mpqemubr0 */
MASQUERADE  udp  --  10.219.36.0/24      !10.219.36.0/24       /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
MASQUERADE  tcp  --  10.219.36.0/24      !10.219.36.0/24       /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
RETURN     all  --  10.219.36.0/24       255.255.255.255      /* generated for Multipass network mpqemubr0 */
RETURN     all  --  10.219.36.0/24       224.0.0.0/24         /* generated for Multipass network mpqemubr0 */

-duane