Prevent Docker to change FORWARD rule chain and allow changes to DOCKER chain

In a restricted environment we try to configure access to the containers. Problem is that on restarts of docker iptables is messed up.

Accoording to documentation existing rules are not overwritten, but on restart our DOCKER chain is made empty. On startup additional rules are inserted at the start of the FORWARD chain.

Is it possible to make docker so that on startup it never changes the FORWARD chain, but when containers are started additonal rules are added to the DOCKER chain and NAT. This way we can limit access to the DOCKER chain preventing unwanted access.

We can configure the firewall correct, that is not an issue, but on restart it is messed up.

Any pointer is welcome