Only allow certain IPs to a specific container

Hello. I’ve been trying to figure this out on my own but so far have not been successful. I’d like block all IPs to a specific container, and allow only select IPs, plus my LAN,, etc.

My understanding is I would add these rules to the DOCKER-USER chain. If the container has IP address of, can anyone give me an example of:

  • allow rule for subnet
  • deny rule for everything else


Also, I read in several places that custom rules added to DOCKER-CHAIN are not retained after reboot. if so, how are people handling that?

System is Ubuntu 22.04

Any assistance it greatly appreciated. Thanks.