The goal is to restrict docker processes to lan only
while being able to forward port to the host using e.g. -p 80:80
docker network create lan
docker network inspect lan # copy network ip subnet, e.g. "Subnet": "172.18.0.0/16",
sudo iptables --insert DOCKER-USER -s 172.18.0.0/16 -j REJECT --reject-with icmp-port-unreachable
sudo iptables --insert DOCKER-USER -s 172.18.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURN
docker run --network lan -p 8069:8069 ...
If the forward port is not needed, the below is enough: