This systemd unit should start a wrapper launch script with this (extracted from P91):
#!/bin/sh lxc-start -n mailserver -d iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 25 -j DNAT --to-destination 10.0.3.8:25 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 21080 -j DNAT --to-destination 10.0.3.8:80 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 110 -j DNAT --to-destination 10.0.3.8:110 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 143 -j DNAT --to-destination 10.0.3.8:143 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 465 -j DNAT --to-destination 10.0.3.8:465 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 587 -j DNAT --to-destination 10.0.3.8:587 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 993 -j DNAT --to-destination 10.0.3.8:993 iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 995 -j DNAT --to-destination 10.0.3.8:995 iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 25 -j DNAT --to-destination 10.0.3.8:25 iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 143 -j DNAT --to-destination 10.0.3.8:143 iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 465 -j DNAT --to-destination 10.0.3.8:465 iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 587 -j DNAT --to-destination 10.0.3.8:587