The first thing when you come to this topic is that when it comes to iptables, docker just behaves like a spoiled child that takes what (s)he want, although the child is been banned to do so.
In other words, as you may already know, by default, docker ignores any pre-existing iptables' rules when adding its own Chain in the tables. The result of this is a useless firewall when it comes to protecting the access to your services hosted in containers.
So, at the office, at the moment we had this problem we were migrating our projects into containers.