Docker plays with host iptables firewall with every container action. The best is to manipulate firewall manually.
[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false