iptables.conf.template

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]

-F INPUT
-F DOCKER-USER
-F FILTERS

# BASIC Allow
-A INPUT -i lo -j ACCEPT

# Chain to FILTERS
-A INPUT -j FILTERS
-A DOCKER-USER -i eth0 -j FILTERS

# COMMON FIREWALL RULES

# ALLOW something
-A FILTERS -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# DENY something
-A FILTERS -p icmp --icmp-type echo-request -j REJECT

###################################################################
### special cases for servers
### please modify by the server



### end special cases
############################################################

# FINAL REJECT
# Optional logging
-A FILTERS -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A FILTERS -j REJECT

COMMIT

After some study I found this line will allow access to container port 80 when jumped from DOCKER-USER to FILTERS

-A DOCKER-USER -i wlp3s0 -j FILTERS
-A FILTERS -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Here the "80, 443" are not the port on the host side of the binding, but container side
e.g. 8080:80, 8080, the left side, host side port, and 80, the right side, container side.

If you modify the rule as
-A FILTERS -p tcp -m multiport --dports 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
then 8080 port is not accessible from external.

Thanks for looking into this, really appreciate the help. I think I will stick with my current setup and using double rules in INPUT+DOCKER-USER for the per host per service mapping.