Iptables rules with dockerized web application – can’t block incoming traffic

i’m hosting a dockerized web application binded with port 8081 in my remote server.
I want to block that web application for external ips, as I already did wit port 8080 hosting a plain jenkins server.
Here’s what i’ve tried:

iptables -A INPUT -d <my-server-ip> -p tcp --dport 8081 -j DROP

As I did with port 8080.

Here is

iptables -nv -L INPUT


Chain INPUT (policy ACCEPT 2836 packets, 590K bytes)
pkts bytes target     prot opt in     out     source               destination         
495 23676 DROP       tcp  --  *      *             <my-ip-addr>        tcp dpt:8080
  0     0 DROP       tcp  --  *      *             <my-ip-addr>        tcp dpt:8081

Has it possibily something to do with DOCKER chain in iptables ?

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  9   568 ACCEPT     tcp  --  !docker0 docker0       <container-eth1-addr>         tcp dpt:8080

There are more specific rules i need to add ?
Isn’t my server INPUT rules supposed to be applied before those listed in the DOCKER chain?


Thanks to larsks’s comments I found the solution.

The goal here was to block tcp traffic on port 8081 binded with docker docker container but being able to use ssh tunneling as "poor man" VPN (so non publish the port was not an option).
Just had to add this rule:

iptables -I DOCKER-USER 1 -d <container-eth-ip>  ! -s -p tcp --dport 8080 -j DROP 

Source: Docker Questions