Docker and Iptables

I have installed several docker containers on my server. All containers are inside the same docker-network, and basically the structure is that every container is behind the nginxproxymanager reverse proxy container.

So far so good, everything works good. So I'm trying to hardening the structure by adding fail2ban, which i failed to make it working. I'm struggling to understand better iptables but I can't make it works. After restarting docker, and inspecting the iptables file (/etc/iptables/iptables.rules) I have this

# Generated by iptables-save v1.8.7 on Fri Oct 29 09:48:00 2021
*nat
:PREROUTING ACCEPT [82:13454]
:INPUT ACCEPT [71:12758]
:OUTPUT ACCEPT [72:4846]
:POSTROUTING ACCEPT [858:45979]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-0aee38841ef3 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-0aee38841ef3 -j RETURN
-A DOCKER ! -i br-0aee38841ef3 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.19.0.2:3000
COMMIT
# Completed on Fri Oct 29 09:48:00 2021
# Generated by iptables-save v1.8.7 on Fri Oct 29 09:48:00 2021
*filter
:INPUT ACCEPT [98:7750]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:11194]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -s 37.XXX.XXX.XX/32 -j DROP
-A INPUT -j DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-0aee38841ef3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-0aee38841ef3 -j DOCKER
-A FORWARD -i br-0aee38841ef3 ! -o br-0aee38841ef3 -j ACCEPT
-A FORWARD -i br-0aee38841ef3 -o br-0aee38841ef3 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-0aee38841ef3 -o br-0aee38841ef3 -p tcp -m tcp --dport 3000 -j ACCEPT    
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-0aee38841ef3 ! -o br-0aee38841ef3 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-0aee38841ef3 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -s 37.XXX.XXX.XX/32 -j DROP
COMMIT
# Completed on Fri Oct 29 09:48:00 2021

I've just removed the other containers rules, as they're the same concept of the one i left (dport 3000).

br-0aee38841ef3

is the bridge created when I created the docker-network where my containers resides.

As you can see I tried to add a DROP rule on my public ip address (37.XXX.XXX.XX) both in INPUT and DOCKER-USER chains, but I still can navigate through my containers (I have a custom domain which A records point to my IP), so the rule isn't working. Of course iptables are started and reloaded with the new rules, so what am I missing in order to ban an IP?

You might need to:

iptables -A DOCKER-USER -j RETURN

I think the control is falling off of the end of your chain with no decision.