I am trying to build a setup akin to a "Qubes OS Lite", but using Docker containers on Arch.
There will be several end-user applications running in Docker (with the help of https://subuser.org), and they will be routed through another appliance-like container which will run a VPN and a firewall (i.e. a setup akin to this: https://stackoverflow.com/questions/39913757/restrict-internet-access-docker-container).
My question is how do I completely disable internet access for the underlying Linux system, while keeping it so that the internet-facing Docker container can still access the internet?