If the connection does go thru a proxy the source address of the packet will be the one of the proxy and a supplementary mechanism is necessary - this is how typically a http proxy is set up and you are absolutely right.
Our case is a simple one and I am looking for a simple port forward, not a proxy - so back to a simple solution, using iptables
Host interface ens5, port 2220 forward to
Dest (on bridgel xdbr0), 10.202.82.203:22
sudo iptables -A PREROUTING -p tcp -m tcp --dport 2220 -j DNAT --to-destination 10.202.82.203:22
Jul 16 21:53:12 ub18test1 sshd: error: Received disconnect from 192.168.1.153 port 52760:14: No supported authentication me
Jul 16 21:53:12 ub18test1 sshd: Disconnected from authenticating user ubuntu 192.168.1.153 port 52760 [preauth]
Looking at the Container config keys: https://lxd.readthedocs.io/en/latest/containers/
is easy to configure a static IP for the container (ipv4.address)
I do not see a way to run a startup script in order to set the forwarding automatically when the container does start/remove when it does stop - if I remember well it use to be possible in LXC 2 to have startup/shutdown hooks but I do not see them in 3.0 doc above - any idea?