How to make it so that containers have only host network access but no internet access

Let me give an example. Say, I have 3 containers, two of them in a simple docker network and they can communicate with each other and one of them exposes a port to the host network. The third container can’t talk with the other containers but also exposes a port. This much is done, but now I want it so that all of the containers have no access to internet. They can only accept incoming traffic from exposed port but can’t ever communicate outside, especially on internet. How can I make this possible?

you’ll probably need to mess with iptables. Here’s a guide. note, i have not tried this
https://dev.to/andre/docker-restricting-in--and-outbound-network-traffic-67p

I checked this link but I don’t want to modify docker compose file. I want a more streamlined solution which will work for any containers, unmodified.

If you enable “userns-remap” then you should be able to use owner match in iptables:
iptables -m owner --uid-owner userid[-userid] Match local UID