I’m looking for what would be the best approach to limiting network access to a service running on docker swarm. For example, running an nginx container, I am not able to use the normal access rules in the web server to restrict access by address or subnet because all traffic appears to be originating from the ingress-endpoint address. If I use host networking for the listening ports (80 & 443) then I am not able to connect to some of the overlay networks where this web server functions as a reverse proxy for other containerized services.

Also, it appears that incoming traffic is routed to the ingress network before the hosts firewall (CentOS/RHEL7) can apply any filter rules.

If I want to block public traffic to some vhosts, or limit others to specific subnets, what is the best method for achieving this?

Host: RHEL7/CentOS7
docker-ce version: 19.03.8-3.el7
container ver: nginx:alpine

example configuration:
version: “3.7”
services:
Testsite1:
image: nginx:alpine
hostname: test1
ports:
- target: 80
published: 80
protocol: tcp
mode: ingress
networks:
testnet:
aliases:
- webserver
RemoteCTR:
image: nginx:alpine
hostname: test2
networks:
testnet:
aliases:
- remoteserver
networks:
testnet:
external: true