How to filter requests for a specific container on an entryPoint?

New to Traefik, I am having a hard time to put together all the components needed to filter requests by IP address.

My main provider is docker, and for the sake of the example let's assume there are two containers: internalonly and public. Both expose port 80 and are accessible via Traefik (they have a label which matches the host).

I would like public to also be reachable from Internet. To this, I will

  • forward port 81 on my firewall so that it hits Traefik.
  • on Traefik, I will add a new entryPoint for port 81.

The idea is that traffic from Internet directed to will be caught and analyzed by Traefik which will check for "some information provided by the labels of the container" (1) and if present, allow the traffic to the service (2). Otherwise the traffic will be denied.

I do not know how to articulate the points (1) and (2).