If dockerd is run with --iptables=false option, it skips most of iptables stuff. But still interfere a bit. Here is what I get when run dockerd with --iptables=false:

*filter
:INPUT ACCEPT [12730:1832196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [54:6656]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Is it possible for docker not to touch iptables at all?