Functionality similar to docker-user chain in filter table, but in NAT?

Hi everybody! I am trying to prevent connections from the internet to a port that I have exposed through my docker-compose file:

ports:
      - "8080:3000"

What happens is: I want only my local network to be able to reach this port. I have figured out that by using the following nftables rules

nft insert rule filter DOCKER-USER position 0 'ip saddr != 192.168.178.0/24 ip daddr 172.19.0.4 tcp dport 3000 jump DOCKER-USER-DROP'

I can get the behavior I want, but this forces me to check what is the internal container’s ip address and the internal port. I’d prefer to specify directly the external port I am trying to protect, but to achieve this I’d need to add this rule in a table similar to DOCKER-USER in the NAT table. The problem, then, is that I think there is not such chain managed by docker itself… or is there? In my debian 11 I have the following:

table ip nat {
        [...]
        chain DOCKER {
                iifname "br-313449142f9f" counter packets 0 bytes 0 return
                iifname "docker0" counter packets 0 bytes 0 return
                iifname != "br-313449142f9f" meta l4proto tcp tcp dport 8080 counter packets 63 bytes 3700 dnat to 172.19.0.4:3000
                iifname != "br-313449142f9f" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 5432 counter packets 0 bytes 0 dnat to 172.19.0.2:5432
                iifname != "br-313449142f9f" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 3000 counter packets 0 bytes 0 dnat to 172.19.0.3:3000
        }
        [...]
}

and I’d expect something like I have in the filter table:

table ip filter {
        [...]
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 7591 bytes 931764 jump DOCKER-ISOLATION-STAGE-1
                counter packets 7591 bytes 931764 jump DOCKER-USER
                oifname "br-313449142f9f" ct state related,established counter packets 6821 bytes 874506 accept
                oifname "br-313449142f9f" counter packets 49 bytes 2860 jump DOCKER
                iifname "br-313449142f9f" oifname != "br-313449142f9f" counter packets 337 bytes 31358 accept
                iifname "br-313449142f9f" oifname "br-313449142f9f" counter packets 0 bytes 0 accept
                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
        }

        chain DOCKER-USER {
                oifname "lo" counter packets 0 bytes 0 jump DOCKER-USER-DENY-INTERNAL
                oifname "enp*" counter packets 707 bytes 53558 jump DOCKER-USER-DENY-INTERNAL
                counter packets 7207 bytes 908724 return
        }
        [...]
}

so… how can I get this to work? I am surprised to have found very little documentation about this, when I’d expect this situation (preventing ports to being open to the internet) to be pretty well documented. This makes me think I might be doing something wrong?
Thank you!