POSTROUTING SNAT not applied on all outgoing traffic

I can’t make heads or tail out of this. If anyone is experienced in docker networking I’d really appreciate a hand.

the docker0 bridge is not attached to the physical nic eth0, only the docker containers vnics are attached. The NAT POSTROUTING chain contains masquerading rules that process >99.9% of all traffic from the docker containers. Somehow, one container leaks packets with it’s internal IP 172.17.0.3 to my LAN.

tcpdump shows the packets leaving the eth0 interface. I tried adding a SNAT rule on the NAT POSTROUTING chain targeting source ip 172.17.0.3. The packets still leak. I’m pretty sure the packets do not traverse the iptables NAT POSTROUTING chain.

According to what I’ve understood of bridged nics this could be the case if the physical nic was attached to the bridge. Then a frame could be bridged without even being lifted to the iptables chains. But since my physical nic is NOT attached to the docker0 bridge the only way a fram/packet could leave the host is by being routed which would make it have to traverse the iptables NAT POSTROUTING chain. This seems also to be the case with >99.9% of all packets in docker.

Is there anyway to trace the way a packets is bridged and routed to figure out why these few packets are emitted from the host?