As discussed extensively in https://github.com/moby/moby/issues/22054, which is linked from the OP: this doesn't actually help, because Docker (by default) bypasses your existing firewall rules.
Ah, forgot about forwarding table. These should fix that:
for tool in iptables ip6tables ; do
$tool -I DOCKER-USER 1 -i eth+ -m conntrack --ctstate NEW -j DROP
$tool -I DOCKER-USER 1 -i wlan+ -m conntrack --ctstate NEW -j DROP
done
If these are saved and loaded with the rest of networking, they will appear at the top of the FORWARD table before the DOCKER table jumps. Docker won't remove these rules, and they come first in the table, so they supersede Docker's rules. Any new connections forwarded from an external interface should drop.
....because then containers can't network at all to non-local networks, e.g. no internet access. for bridge networks at least (which is the default).
by specifying the drop for new connections incoming from the external interface, you stop connections to listening services from external networks, but established and related connections can continue implicitly, so forwarding still works for outbound connections.
if you really want to block all internet access for containers, and stop anything else on your system that might need to use forwarding, then your suggestion is correct.
