linux – Host internal port redirection while blocking target port externally and having docker running

This might be simple but after spending ~5 hours w/ iptables and googling, I couldn’t make it work, so I thought I’ll ask here directly.

I have an ubuntu machine with Docker installed (so it manipulates iptables..)
I have a container that runs in it, and listens on port 80

On the host machine I need to both redirect incoming external traffic whose dest_port is 8080 to port 80 (I would prefer this to happen as early as possible, w/o assuming the listener is a docker container / docker-user chain at the iptables), but if that’s not possible I can compromise on assuming it’s a docker that listens on port 80.

And, to drop any traffic incoming into port 80 externally.

I’ve tried:
PREROUTING w/ setting a mark on tcp dest port 80, later dropping all marked packets at INPUT chain

the redirection works, external browsing to 8080 works.
the problem is, external access to 80 works as well.

Any ideas?

(I prefer the external filtering to be interface-specific, but that’s not a must).
(I also prefer blocking “all” incoming traffic from that specific interface, but any attempt to switch INPUT to deny/drop make the entire machine’s net non-accessible even internally)

Many thanks in advance !