https://bugzilla.redhat.com/show_bug.cgi?id=1033606
--- Comment #9 from Josh Poimboeuf jpoimboe@redhat.com --- This isn't right:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
There should be more docker-related rules there. Is there a unit file that creates the docker0 device before docker starts? If so, remove it so that docker can create it and set up its iptables rules.