Fail2ban in SWAG: scope and how to disable

I am using the SWAG container with built-in fail2ban.

of course, I have fail2ban running on my server outside of Docker, too.
it seems like the instance running in the docker container is superfluous, since I can setup my outer instance to watch for failed login attempts on nginx in the log files.

then again, I remember that the interplay between the host OS iptables, the docker system, and the guest container networking can be quite complex.
e.g.: Docker and iptables | Docker Documentation

so, what is the relation between my host OS iptables and my container iptables?
can I setup my host OS fail2ban to watch for my SWAG nginx logs to accomplish the same results?
or, would the docker infrastructure mean that my host OS iptables are bypassed by docker, and thus disabling thefail2ban in the container would mean leaving my SWAG webserver open to brute force attacks?

if it is indeed safe to disable fail2ban from the SWAG container, how should I do it to avoid wasting resources for unneeded services?

sure you can disable it, we dont support doing so. you’ll need to modify the container accordingly, our source is open.

okay, so if I wanted to disable it then I would have to put my hands in the code, got it.

still, is there anything to be aware of, with respect to the specifics of host vs guest network routing and iptables?

no, the only reason swag uses iptables is for fail2ban

sure, but what I mean is that I know that the interplay between the host iptables and docker is tricky.

are you sure that adding rules to the INPUT chain, which is the classic fail2ban iptables’ ban action, is sufficient to protect the docker container?
maybe I should ban malicious IPs in the DOCKER-USER chain, instead?
this is the bulk of my question – before disabling fail2ban on the guest, I want to make sure it is working as expected on the host.