By default, all external source IPs are allowed to connect to the Docker daemon
Filtering by IP is actually easy once you know how, but I had a hell of a time finding the key information and for me that was three-fold:
1. If the "DOCKER-USER" chain is not present when Docker starts, Docker will add it and allow all connections being passed to it, therefore:
2. You must stop the docker service before configuring the DOCKER-USER iptables chain
3. You must add the DOCKER-USER chain (and rules) before the docker service starts
partial reference: https://github.com/moby/moby/issues/35043
i.e.:
service docker stop firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -i ens224 -s 1.2.3.4 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 2 -i ens224 -s 5.6.7.8 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 3 -i ens224 -j DROP service firewalld reload service docker start