# NAT table used by Docker to route the traffic
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:DOCKER -
# Whitelist to access the Docker resources
:DOCKER-BLOCK -
# Allow Portainer agent administration from HQ only
-A DOCKER-BLOCK    -p tcp --dport 9001  --source xxx.xxx.xxx.xxx     -j DOCKER


# First check the whitelist then block the traffic to the other chains
:POSTROUTING ACCEPT
-A PREROUTING      -m addrtype --dst-type LOCAL                   -j DOCKER-BLOCK
# Default policy, to block any traffic to Docker interfaces
-A PREROUTING      -m addrtype --dst-type LOCAL                   -j RETURN
COMMIT

# Filter table
*filter
# Incoming chain
:INPUT DROP
# Allow any traffic for the localhost interface
-A INPUT -i lo                                                    -j ACCEPT
# Allow any established and related connection traffic
-A INPUT                                                          -j ACCEPT  -m state --state ESTABLISHED,RELATED
# Allow incoming PING from anywhere
-A INPUT           -p icmp                                        -j ACCEPT
# Allow SSH connection from anywhere
-A INPUT           -p tcp --dport 22222                           -j ACCEPT
# Allow DNS requests from authorized hosts only (no NAT from docker, host interface)
-A INPUT           -p udp --dport 53    --source xxx.xxx.xxx.xxx     -j ACCEPT


# Forwarding chain
:FORWARD DROP

# Output chain
:OUTPUT ACCEPT

# Save all the rules
COMMIT