Restrict access to a container with iptables

I’ve always used an iptables file (saved on /etc/sysconfig/iptables on centos) to restrict access to my machine ports and connections, but how to deal with docker containers?

I don’t want to lose auto docker0 nat rule but I also want to close various ports without being bypassed by docker.

What is the best practice to do this?