progress. containers can connect to external addresses after adding: iptables -A FORWARD -j ACCEPT -o $publ and containers can connect to other boxes on the private net after adding: iptables -A FORWARD -j ACCEPT -o $priv and containers can be contacted via the private net after adding: iptables -A FORWARD -j ACCEPT -i $priv what's still perplexing is connections from a container to the host node, whether contacting its public or private address. some such connections work, eg ssh, and some don't, eg mysql, nrpe, and ping, and some are divided yes/no by criteria i don't get, eg pgsql and dns. i don't get why they don't all just work.