Docker plays with host iptables firewall with every container action. 
The best is to manipulate firewall manually.
<file | /etc/systemd/system/docker.service.d/noiptables.conf>
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false
</file>