Restrict docker container access from internet except for few allowed ips

entrypoint.sh

#
# iptables configuration
#
# The following allows in- and outbound traffic
# within a certain `CIDR` (default: `192.168.0.0/24`),
# but blocks all other network traffic.
#

ALLOWED_CIDR1=172.0.0.0/16
ALLOWED_CIDR2=13.233.249.192
ALLOWED_CIDR3=192.168.0.0/16

#iptables -P FORWARD DROP # we aren't a router
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -s 127.0.0.1 -j ACCEPT # We do not want to access app from within container so why bother?
#iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT 
iptables -P INPUT DROP # Drop everything we don't accept
iptables -P OUTPUT DROP

#iptables -A INPUT -s 0.0.0.0 -j ACCEPT
#iptables -A OUTPUT -d 0.0.0.0 -j ACCEPT
iptables -A INPUT -s $ALLOWED_CIDR1 -j ACCEPT
iptables -A INPUT -s $ALLOWED_CIDR2 -j ACCEPT
iptables -A INPUT -s $ALLOWED_CIDR3 -j ACCEPT
iptables -A OUTPUT -d $ALLOWED_CIDR1 -j ACCEPT
iptables -A OUTPUT -d $ALLOWED_CIDR2 -j ACCEPT
iptables -A OUTPUT -d $ALLOWED_CIDR3 -j ACCEPT