In service_linux.go below functions uses IPTables APIs that might create/update IPChain.
fwMarker()
redirector()
programIngress()

If --iptables=false is set dockerd should not create any iptables rules or chains

https://github.com/docker/libnetwork/pull/2339 fixes part of the issue by checking the above flag before creating the DOCKER-USER chain

Raising this issue to track the fix for docker service