diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init
index ce65b012a..1ca5e5420 100755
--- a/utils/docker-ce/files/dockerd.init
+++ b/utils/docker-ce/files/dockerd.init
@@ -181,16 +181,39 @@ service_triggers() {
 	procd_add_reload_trigger 'dockerd'
 }
 
-add_docker_firewall_rules() {
-	. /lib/functions/network.sh
-	local device interface="${1}"
+iptables_add_blocking_rule() {
+	local cfg="$1"
 
-	# Ignore errors as it might already be present
-	iptables --table filter --new DOCKER-USER 2>/dev/null
-	network_get_physdev device "${interface}"
-	if ! iptables --table filter --check DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP 2>/dev/null; then
-		iptables --table filter --insert DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP
-	fi
+	local device=""
+
+	handle_iptables_rule() {
+		local interface="$1"
+		local outbound="$2"
+
+		local inbound=""
+
+		. /lib/functions/network.sh
+		network_get_physdev inbound "${interface}"
+
+		[ -z "$inbound" ] && {
+			logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
+			return
+		}
+
+		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
+			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
+			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
+		fi
+	}
+
+	config_get device "$cfg" device
+
+	[ -z "$device" ] && {
+		logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
+		return
+	}
+
+	config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
 }
 
 ip4tables_remove_nat() {
diff --git a/utils/docker-ce/files/etc/config/dockerd b/utils/docker-ce/files/etc/config/dockerd
index d0e39cc9a..3a1f80278 100644
--- a/utils/docker-ce/files/etc/config/dockerd
+++ b/utils/docker-ce/files/etc/config/dockerd
@@ -16,4 +16,5 @@ config globals 'globals'
 # Docker ignores fw3 rules and by default all external source IPs are allowed
 # to connect to the Docker host. See https://docs.docker.com/network/iptables/
 config firewall 'firewall'
+	option device 'docker0'
 	list blocked_interfaces 'wan'