I have a server that I want to host services on for both the internet and for the local network. I want to block traffic from containers to my local network, so that if an a service that is on the internet gets compromised, then the attackers don’t have access to my local network.

sudo iptables -I DOCKER-ISOLATION-STAGE-2 -d 192.168.4.0/24 -j DROP
sudo iptables -I DOCKER-ISOLATION-STAGE-2 -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT

192.168.4.0/24 is my local network

This seems to be working for me, but I want to know if I was missing something?
Is there are more straightforward way to solve this problem?
DOCKER-ISOLATION-STAGE-2 seems un-documented, should I be using this or something else?
Are there any other concerns that I should have?

– Thanks