Disallow container A to ping other containers in the same network

What is the ideal iptables configuration to isolate each containers in 10.x.x.x network from pinging/communicate each other?

I’d expect something like:

iptables -I FORWARD -s 10.x.x.x/8 ! -d -j REJECT

Then make sure that br_netfilter is configured to send bridge to bridge traffic through netfilter.

As I have sudo modprobe br_netfilter and apply your iptable, it works as expected, except I couldn’t connect to the Internet from containers especially apt update.

bridge to bridge traffic through netfilter.
I’m new to this approach, what does this do?

Oh right, oops, you’d want:

iptables -I FORWARD -s 10.x.x.x/8 -d  10.x.x.x/8 -j REJECT

Instead I think.

It works as expected and nice to know about br_netfilter or I would have lose more time to get it work.