How to close open ports in Docker?

Good day!

Task: to close access from outside all ports except 22, 80 and 443. The server in the same local network must have access to all the ports listening on the server.

Created iptables rules:

-P INPUT DROP
-A INPUT-p tcp -m tcp -m multiport --dports 22,80,443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT-p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT-p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT-p icmp -m icmp --icmp-type 3/1-j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.1.100/32 -j ACCEPT
-A INPUT -s 192.168.1.101/32 -j ACCEPT
-A INPUT -s 192.168.1.102/32 -j ACCEPT
-A INPUT-i docker0 -j ACCEPT

Everything works, but after running docker containers, docker adds rules in its chain, which give access to the listening ports to the outside:

-A FORWARD -j DOCKER ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9200-j ACCEPT
-A DOCKER-d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER-d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER-d 172.17.0.12/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-d 172.17.0.20/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-j RETURN

How to solve this problem, what would the open ports of the containers have been closed out and was only available for certain servers specified in the INPUT chain?
July 9th 19 at 13:01
3 answers
July 9th 19 at 13:03
Try to configure docker using the official documentation on network configuration:
https://docs.docker.com/v1.8/articles/networking/

I think if you disable some options, such as --ip forward and iptables--, you can use your own chain of rules.
Tried. But then all the rules that Docker creates by yourself, you need to register yourself. Without them, the containers do not work.
And it is very uncomfortable.
We have to somehow solve the problem without these options. - octavia.Bernhard60 commented on July 9th 19 at 13:06
July 9th 19 at 13:05
Create file
/etc/systemd/system/docker.service.d/noiptables.conf

Throw in a file
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false

Then configure using iptables
July 9th 19 at 13:07
if still up to date, found here https://fralef.me/docker-and-iptables.html

do
docker run --name squid-d --restart=always \
--publish 192.168.2.41:3128:3128 \

Find more questions by tags DockerIptablesSystem administration