I am experiencing similar issues; for the record I have posted this matter also on SO at https://stackoverflow.com/questions/44338686/how-use-systemd-nspawn-with-network-veth-and-port-n-and-p/44602835#44602835

systemd version the issue has been seen with

# rpm -q systemd
systemd-231-15.fc25.x86_64

Used distribution

# cat /etc/fedora-release
Fedora release 25 (Twenty Five)

In case of bug report: Expected behaviour you didn't see

I would expect to use --private-network -p 10000:20000 and then having localhost:10000 on the host side be wired into localhost:20000 on the container side

In case of bug report: Unexpected behaviour you saw

port 10000 is not reachable on the host side

In case of bug report: Steps to reproduce the problem

machinectl pull-raw --verify=no https://download.fedoraproject.org/pub/fedora/linux/releases/25/CloudImages/x86_64/images/Fedora-Cloud-Base-25-1.3.x86_64.raw.xz
systemd-nspawn -M Fedora-Cloud-Base-25-1.3.x86_64.raw --private-network -p 10000:20000 nc -l localhost 20000

And then in another terminal

echo hello | nc localhost 10000
Ncat: Connection refused.

Additional material

Having read the manual page for systemd-nspawn rather thoroughly, I would appreciate, regardless of this issue, some more details about the expected interactions that @fsateler suggests systemd-nspawn has with iptables

I am playing with this on an alpha-production box that runs a docker-based system already, and so it does mess with iptables on its own; so it would help to assess if running both contenairization tools concurrently is likely to create any conflict.