engine: 18.06.1~ce~3-0~ubuntu
os: DISTRIB_DESCRIPTION=“Ubuntu 18.04.1 LTS”

ive read i can add rules to the DOCKER-USER chain intables to firewall services from outside world.

I run theese lines directly in shell on the host

iptables -A DOCKER-USER -i enp0s31f6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A DOCKER-USER -i enp0s31f6 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A DOCKER-USER -i enp0s31f6 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A DOCKER-USER -i enp0s31f6 -p tcp --sport 2222 --src X.X.X.X-m tcp --dport 2222 -j ACCEPT

where X.X.X.X is my ip address at the office that needs to reach the host / containers

After running theese iptables rules, im still able to reach sshd running on the swarm.