Fail2ban for docker behind reverse proxy

in the wiki it says:

Do not use this if you use a reverse proxy before Docker container. If proxy, like apache2 or nginx is used, use the ports of the proxy and do not use chain=FORWARD, only when using Docker without proxy!

Which chain should I use?
The situation is:
nginx reverse proxy on a pi4
bitwarden docker container on another host. Ports 88 and 8443.
I tried entering those ports in the INPUT and FORWARD chain with no effect.