Hi,
So you should be able to achieve this, but you’ll need to add some custom firewall rules.
If you use an LXD bridge network, and connect each container to it, this will achieve the outbound NAT you’re looking for.
Then if you give each of the container’s a static IP using lxc config device set c1 eth0 ip.address=x.x.x.x then dnsmasq will allocate a static IP via DHCP on each boot.
You can then use the bridge IP filtering to stop the containers hijacking other’s IPs if you like.
See https://linuxcontainers.org/lxd/docs/master/instances#nictype-bridged
You can then use either DNAT iptables rules or the LXD proxy to forward local ports on the host to C1.
See proxy device for more details: https://linuxcontainers.org/lxd/docs/master/instances#type-proxy
Finally you would add iptables rules on the host to restrict traffic from the other 2 containers as you need.
Be sure to load br_netfilter kernel module and enable the following sysctls so that packets traversing the bridge are passed through iptables though.
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
This should get you want you need.
As @gpatel-fr suggested you could also achieve similar using the forthcoming routed nic type. However you’d still need to use custom firewall rules, all this really does in this case is avoid the need for using the IP filtering feature on the bridged NIC (as its inherent on routed NIC types).