linux

How to prevent a docker container from escaping to the internet?

Hello professionals! The essence of the question is this, you need to prohibit 1 container from accessing the Internet.

I created the stack I needed using docker compose, everything works fine, but it is necessary for exactly 1 container to go online. So that it only works locally.

What I did:
1. According to one advice I created **/etc/docker/daemon.json** and added the following (Docker restarted after that.):

{
      "iptables": false
    }

Did not help.

2. Inside the container in /etc/resolv.conf, I wrote an invalid dns.

Helped in part. It does not go through domains, but there is a connection to the outside world via ip.

Output of **docker network inspect jobjobdocker_default**

[ {
        "Name": "jobjobdocker_default",
        "Id": "37353f9e58ebf66c31d7f4cd09db49565e384c0bf3896509221625d9154e96f4",
        "Created": "2020-05-31T15:03:49.239139285+03:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "3b21c7bada47a62235b55a48e42a10f26b43d57400d3ac54cc04fb6f65f74d40": {
                "Name": "jobjobdocker_php_1",
                "EndpointID": "cd58e7b86e06c4311d34183d82c5ebbd369f196c31d5af6f11a0b3db2cb97912",
                "MacAddress": "02:42:ac:12:00:04",
                "IPv4Address": "172.18.0.4/16",
                "IPv6Address": ""
            },
            "444b162d15132eee7cf46edcd98f0e75c81c371d0b7e8b9bab34248e92394d2b": {
                "Name": "jobjobdocker_mysql_1",
                "EndpointID": "3719794765c99aa257e5e1d8b728ea30effde703af59073c61376ff9e5e9139d",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            },
            "719a0fd8af007619f5df07405832d79f8f3b692ed39997fdf811e1774ec47a45": {
                "Name": "jobjobdocker_nginx_1",
                "EndpointID": "bb805fe8d30f41af179e46bfcb37fdcef15fa8d62ff8b17dd46d850494e561fb",
                "MacAddress": "02:42:ac:12:00:05",
                "IPv4Address": "172.18.0.5/16",
                "IPv6Address": ""
            },
            "c7afbf9dd54152708a9cbf5df51c71ad9c612b26f9997238b9f0bfd7356e0a5d": {
                "Name": "jobjobdocker_pma_1",
                "EndpointID": "5ded1ad259e6f52b05f3bccab03af56a20f9fc130e64e07933184eef883fcfa7",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }

It is necessary to prohibit access to the Internet to this container **jobjobdocker_nginx_1**

It is also important that this container communicates with certain software on the host! That is, it must be blocked so that it can access the host itself (127.0.0.1).

Can this be done using docker?
Is it possible to block access to the Internet for 172.18.0.5 on the host machine?

How to do it right?