The only modification is that I pin containers to an IPv4 address so I can limit the forward rule to that address.