I added the icc=false flag to the docker daemon, and I see the DROP rule in the FORWARD chain:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 DROP       all  --  docker0 docker0  anywhere             anywhere 

But I’m still able to ping between any running containers. Am I missing something?

I think I got it. I used CoreOS alpha and it seems that the br_netfilter module wasn’t loaded.

Since Linux kernel 3.18-rc1, you have to modprobe br_netfilter to enable bridge-netfilter.

So modprobe br_netfilter did the trick.