Restricting access to exposed services


I have several bare metal servers running a bunch of different environments (all Cattle). I have a staging environment with some services exposed that I want to only be accessible through a set of IPs. I searched about this and the only thing I’ve encountered was this issue: How to restrict access to service via iptables?. My goal is to invert the “docker behaviour”, I want to drop every connection to every port unless it comes from a trusted IP. I also saw an open issue for a CATTLE_USER chain, similar to DOCKER_USER that I think that would solve the problem, but it is not scheduled to any milestone.

Is the mangle table the way to go for these cases?