Ordinary firewall filtering rules, placed in iptables's "INPUT" chain in
the "filter" table, aren't applied to Docker's ingress traffic, which is
redirected ("NATted") to Docker's interface by the "PREROUTING" chain in
the "nat" table. Hence, the rules pretending to allow LOCKSS management
traffic from trusted hosts are superfluous and misleading: traffic to
those ports is instead restricted by LOCKSS according to its
"LOCKSS_ACCESS_SUBNET" variable.

I could write rules to filter Docker's ingress traffic, but I would
rather not take the time--I would need to take care that they were
always given priority over Docker's rules, even when Docker were
restarted--and LOCKSS's own handling of matters ought to be sufficient
for now.

With that, the base firewall rules (enabling a default-deny ingress
policy with an exception for ssh) seem out of scope for this role.