IPTables rules not created with non-explicit service port bindings

I have a weird issue, whenever I create a service (either docker service create... or via stack file, if I create an explicit port mapping "30000:8080" etc… I can access the service and iptables rules are created.

Edit: IPtables rules that are created:

-A DOCKER-INGRESS -p tcp -m tcp --dport 30000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 30000 -j ACCEPT

However if I just put a single port and ask Docker to pick an ingress port "8080" no iptables rule is created and I can’t access the service). Anyone seen this before / got any debugging suggestions?

Occurring on 17.03 in a client environment, but I can’t reproduce with 17.03 locally. Same behavior happens whether with an external network, or an automatically created network, or no network and just put on ingress,. The difference is whether I give a pair of ports (explicit mapping), or just a single (and let Docker pick). The ‘docker picked’ port is never added to iptables and the service is inaccessible.