I am running a VPS with a Docker container hidden behind Nginx, which acts as a reverse proxy to route traffic. Docker modifies iptables rules dynamically using its custom chains by default, but I want full control over my firewall and do not want Docker to make these modifications.

To achieve this, I have set up custom iptables rules, as shown below. I would like to confirm if my approach is safe and whether there are any potential issues I should be aware of.

Here are the iptables rules from my current setup:

iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  500  172K MASQUERADE  0    --  *      enp1s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0   

iptables -nvL

Chain INPUT (policy DROP 180 packets, 8766 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  210 74025 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0 
  124  6032 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 4316 5095K ACCEPT     0    --  enp1s0 *       <my IP>              0.0.0.0/0           
  168 69867 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
   35  4417 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 475K packets, 157M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  819  114K ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
  769  704K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

I understand that Docker’s default rules are more complex, but I don’t fully grasp why. Is my simplified setup secure enough for production use, or am I missing some critical functionality provided by Docker’s default iptables rules?

Additionally:

• Are there any risks or caveats to disabling Docker’s iptables modifications in favor of custom rules?
• Is my current setup sufficient to ensure security and proper networking for Docker containers?