[Sebb767]

Docker uses it's own iptables rules which have priority over the system ones. Therefore, even if you have an iptables-based firewall blocking all ports, a docker service will still be reachable, unless configured not to be in docker itself.

[BrandoElFollito]

I do not understand what you mean by "priority over the system ones"

A docker container can have internal ports exposed explicitly, or use host networking. In any case these are ports exposed by the docker-proxy executable - an executable like any other on the system.

Then come the iptables rules of the system (which open or not data flow to the ports exposed by docker-proxy).

Or is it different?

[BrandoElFollito]

Ah, now I get what you mean - that entries such as

    ACCEPT     tcp  --  anywhere             172.19.0.10          tcp dpt:8843

are created by docker, independently from the configuration of iptables themselves.

[Sebb767]

Taking precedence was not the ideal word - it uses the same ip tables, but it inserts its own table as the first one. Therefore it 'ignores' system rules, which might come at a surprise.