Block access from container to forwarded port

I want to restrict trafic from a container to the forwarded ports from other containers.
I found that adding blocking rule in the DOCkER-USER chain does not work, but adding it in INPUT works fine.
As I understand I should not be adding rules in INPUT as docker automatically manipulates other chains than DOCKER-USER.
What is the best way of getting this kind of isolation with docker?