Restricting network access from container

I’ve got a need to be able to start containers which have network access strictly limited:

  • no access to the host or other containers
  • access to the outside world restricted to a specific whitelist of IP addresses
    But I’m not sure exactly how to go about this. I imagine I need to create a specific bridge network for this and start the container in this network using the --net option. But I can’t figure out the specific details.
    Can anyone provide some guidance?