Linux hosts use a kernel module called iptables to manage access to network devices including routing, port forwarding, and network address translation (NAT).
Docker modifies iptables rules when you start or stop containers, when you create or modify networks, when you attach containers to the network or other containers, and when you perform other network-related operations.
Typically, iptables rules are created by an initialization script or a daemon process such as firewalld. The rules do not persist across a system reboot, so the script or utility must run after every system reboot.
When firewalld is started or restarted, it removes the DOCKER chain from iptables, preventing Docker from working properly. When using systemd, firewalld is started before Docker. If you start or restart firewalld after Docker, you need to restart the Docker daemon to enable the iptables rules again.