Restrict external access to a Docker Mysql using IPTables?

I have a docker Mysql running in a Linode using the following dockerfile:

version: '3'
services:
  mysql8:
    image: mysql:8.0.23
    command: --default-authentication-plugin=mysql_native_password
    container_name: mysql8
    cap_add:
      - SYS_NICE
    environment:
      MYSQL_ROOT_PASSWORD: rambo
    volumes:
      - /opt/mysql/data:/var/lib/mysql
    ports:
      - 3306:3306

I can connect by: (1) ssh into the Linode machine and then using: mysql -h 127.0.0.1 (2) connecting directly from my Laptop the MySQL server in the Linode server: mysql -h 45.79.101.138

What I need is to allow access internally to port 3306 meaning (1) but not allow (2).

I tried with :

iptables -A INPUT -p tcp --dport 3306 -s 172.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

But I can still connect from my laptop and internally.

If I just have a drop then I cannot connect from either internal or my laptop.

iptables -A INPUT -p tcp --dport 3306 -j DROP

My IPTables look like this:

# Generated by iptables-save v1.8.4 on Fri Oct 15 21:58:42 2021
*filter
:INPUT ACCEPT [3222:286906]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4089:439672]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-bbc39200a6b6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-bbc39200a6b6 -j DOCKER
-A FORWARD -i br-bbc39200a6b6 ! -o br-bbc39200a6b6 -j ACCEPT
-A FORWARD -i br-bbc39200a6b6 -o br-bbc39200a6b6 -j ACCEPT
-A FORWARD -o br-595c99b571cb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-595c99b571cb -j DOCKER
-A FORWARD -i br-595c99b571cb ! -o br-595c99b571cb -j ACCEPT
-A FORWARD -i br-595c99b571cb -o br-595c99b571cb -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-595c99b571cb -o br-595c99b571cb -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-bbc39200a6b6 ! -o br-bbc39200a6b6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-595c99b571cb ! -o br-595c99b571cb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-bbc39200a6b6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-595c99b571cb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Oct 15 21:58:42 2021
# Generated by iptables-save v1.8.4 on Fri Oct 15 21:58:42 2021
*nat
:PREROUTING ACCEPT [1297:65663]
:INPUT ACCEPT [1297:65663]
:OUTPUT ACCEPT [12:720]
:POSTROUTING ACCEPT [16:940]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-bbc39200a6b6 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-595c99b571cb -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-bbc39200a6b6 -j RETURN
-A DOCKER -i br-595c99b571cb -j RETURN
-A DOCKER ! -i br-595c99b571cb -p tcp -m tcp --dport 3306 -j DNAT --to-destination 172.19.0.2:3306
COMMIT
# Completed on Fri Oct 15 21:58:42 2021

Any idea is appreciated.