How to filter one specific container by IP address, and have a default filtering for all containers?

I would like to restrict the traffic to some docker containers based on the IP of the connecting client. The containers are auto-discovered.

The general setup is a server running the docker hosts placed in a LAN ( Port 80 and 443 from Internet are forwarded by the firewall to that host.

The general setting I am trying to achieve is :

  • global default: anything on 192.168.10/24 and can access any container (traffic from the LAN)
  • global default: deny everything else
  • specific setting: for a given container, allow traffic coming "from Internet" (that is the traffic forwarded). I believe that the incoming IP will be the public IP of the client on Internet.

How should I generally approach these problems?

I tried to use in order to allow/block access to a selected container. Beside the fact that this does not solve the "global default" above, I did not manage to have it working (the relevant parts of my docker-compose are below):

      - "traefik.http.routers.radarr.rule=Host(`radarr.mydomain`)"
      - "traefik.http.routers.radarr.entrypoints=web"
      - "traefik.http.middlewares.radarr.ipwhitelist.sourcerange=,"

    # The official v2.0 Traefik docker image
    image: traefik:v2.0
    container_name: traefik
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker=true --entrypoints.web.address=:80
      # The HTTP port
      - "15085:80"
      # The Web UI (enabled by --api.insecure=true)
      - "18085:8080"
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock

No matter what I put in the sourcerange, I can always access the service at http://radarr.mydomain:15085