There are two ways to restrict network access to a docker container: run iptables inside of the container or add restriction on forwarding rules on the host OS.

The first solution requires running docker container in privileged mode.

The second solution looks like adding filtering lines to the iptables on the host:

# This line was added by the docker service on start
-A FORWARD -j DOCKER-ISOLATION

# New filtering line.
-A DOCKER-ISOLATION -s 172.16.0.0/16 -j RETURN

# Lines below were added by docker service on start
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

# Change RETURN to DROP
-A DOCKER-ISOLATION -j DROP