iptables – Only allowing a Docker container to access and be accessed from just one IP

I want to run an app that I do not trust inside a Docker container. To minimize risks, I want this container to only be able to access one IP address (both to receive and to send messages). In that way, the app cannot start scanning my net, contacting the outside world, or be contacted by other apps in my network.

So, say, that the container runs on IP (using macvlan) and the computer that I’ll using for accessing it runs on IP I want to only have access to and from For maximum security, the only port that needs to be open is 5000/UDP.

I guess this requires configuring iptables inside the Dockerfile but I don’t know how to set it up. Any ideas?