If you run docker with default settings --iptables=true makes it nearly impossible to make custom security settings. I must accept that each container can call everything outside or nothing (--icc=false).

I would suppose to create more chains to allow special options:

• PRE_DOCKER_IN which is registered before the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -o docker0
• PRE_DOCKER_OUT which is registered before the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -i docker0
• POST_DOCKER_IN which is registered after the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -o docker0
• POST_DOCKER_OUT which is registered after the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -i docker0

after that chains you can add ACCEPT all or DROP all depending on --icc=true|false .

The logic must be if PRE_DOCKER_* oder POST_DOCKER_* exists it will not be created. Docker will not put any rules to the chains. So a normal admin can use them to have full control over the forward chain.

What do you think?