I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/

this could be interesting if “collaborative” meant that different instances could federate

Ran into the real ip problem too in prod where we needed ip6 too and the podman version is too old to have anything newer. But running the proxy with network=host and anything behind is listening on 127.0.0.1:x is working well so far. It’s not so elegant as it could be, but it works smoothly.