Давно уже не использую iptables и вырубил его использование у докера вообще, только мешается.

Вот все достаточно просто:

root@localhost:~# cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;

                ct state invalid counter drop comment "early drop of invalid packets"

                ct state {established, related} accept comment "established, related"

                iif lo accept comment "accept loopback"

                ip saddr 192.168.0.0/16 accept comment "accept private networks"
                ip saddr 172.16.0.0/12 accept comment "accept private networks"
                ip saddr 10.0.0.0/8 accept comment "accept private networks"

                ip protocol icmp accept comment "accept all ICMP types"

                #log prefix "Dropped: " flags all drop comment "dropped packets logger"
                #log prefix "Rejected: " flags all reject comment "rejected packets logger"

                counter comment "count dropped packets"
        }
        chain forward {
                type filter hook forward priority 0; policy accept;
                counter jump docker-user
                counter jump docker-isolation-stage-1
                oifname "docker0" ct state related,established counter accept
                oifname "docker0" counter jump docker
                iifname "docker0" oifname != "docker0" counter accept
                iifname "docker0" oifname "docker0" counter accept
        }
        chain output {
                type filter hook output priority 0; policy accept;
        }

        chain docker {
        }
        chain docker-isolation-stage-1 {
                iifname "docker0" oifname != "docker0" counter jump docker-isolation-stage-2
                counter return
        }
        chain docker-isolation-stage-2 {
                oifname "docker0" counter drop
                counter return
        }
        chain docker-user {
                counter return
        }

}

table ip nat {
        chain prerouting { type nat hook prerouting priority -100; policy accept;
                fib daddr type local counter jump docker
        }
        chain input { type nat hook input priority 100; policy accept; }
        chain output { type nat hook output priority -100; policy accept;
                ip daddr != 127.0.0.0/8 fib daddr type local counter jump docker
        }
        chain postrouting { type nat hook postrouting priority 100; policy accept;
                oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
        }
        chain docker{
                iifname "docker0" counter return
        }
}