Docker and NAT to LAN on the same computer with iptables

I'm using iptables on my lab server (Ubuntu 18.04) to perform NAT on the rest of the devices on my network:

-t nat -A PREROUTING -i eno1 -p tcp -m tcp -dport 23 -d DNAT -to-destination 10.0.1.2:22
-t nat -A POSTROUTING -o eno1 -j MASQUERADE

-A FORWARD -s 10.0.0.0/24 -i eno2 -o eno1 -m conntrack -ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2 -p tcp -m tcp -dport 22 -j ACCEPT

In the past, it worked well. However, it broke down when I installed Docker. This is certainly due to Docker's rewrite of all my iptables rules. By default, some of my rules survive:

% sudo iptables -t nat -v -L
PREROUTING in chain (ACCEPT policy 257 packets, 36440 bytes)
pkts bytes target prot opt ​​in out destination source
6 1384 DNAT tcp - eno1 does not matter where any dpt tcp: telnet to: 10.0.1.2: 22
133 8676 DOCKER all-n 'anywhere anywhere anytime anywhere ADDRTYPE matches LOCAL dst type

INPUT string (ACCEPT policy 122 packets, 8474 bytes)
pkts bytes target prot opt ​​in out destination source

OUTPUT string (ACCEPT strategy 42 packets, 3008 bytes)
pkts bytes target prot opt ​​in out destination source
0 0 DOCKER all - anywhere - anywhere! 127.0.0.0/8 ADDRTYPE is dst-type LOCAL

Chain POSTROUTING (ACCEPT strategy 21 packets, 2395 bytes)
pkts bytes target prot opt ​​in out destination source
0 0 MASQUERADE everything - everything! Docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE everything - everything! Br-643d6580203c 172.18.0.0/16 Anywhere
39 2900 MASQUERADE ALL - ANYONE IN ANYWHERE ANYWHERE ANYWHERE
0 0 MASQUERADE tcp - any type 172.18.0.2 172.18.0.2 tcp dpt: 8443

Chain DOCKER (2 references)
pkts bytes target prot opt ​​in out destination source
0 0 RETURN all - docker0 anywhere from anywhere
0 0 BACK all - br-643d6580203c anywhere from anywhere
0 0 DNAT tcp -! Br-643d6580203c anywhere from anywhere anytime tpc dpt: https to: 172.18.0.2: 8443

% sudo iptables -v -L
INPUT string (ACCEPT strategy 600 packets, 44910 bytes)
pkts bytes target prot opt ​​in out destination source

Chain FORWARD (strategy DROP 135 packages, 27,966 bytes)
pkts bytes target prot opt ​​in out destination source
176 32752 DOCKER-USER all - anywhere, anywhere, any where
176 32752 DOCKER-INSULATION-STAGE-1 all - anywhere, any where
0 0 ACCEPT any - any docker0 anywhere anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - n any docker0 anywhere from anywhere
0 0 ACCEPT all - docker0! Docker0 does not matter where anywhere
0 0 ACCEPT all - docker0 docker0 anywhere from anywhere
0 0 ACCEPT everything - any br-643d6580203c anywhere from anywhere ctstate BOUND, ESTABLISHED
0 0 DOCKER all - any br-643d6580203c anywhere from anywhere
0 0 ACCEPT all - br-643d6580203c! Br-643d6580203c anywhere from anywhere
0 0 ACCEPT all - br-643d6580203c br-643d6580203c anywhere from anywhere
0 0 ACCEPT all - eno2 eno1 10.0.0.0/24 anywhere ctstate NEW
23 2682 ACCEPT ANY - N 'ANYWHERE ANYWHERE ANYWHERE CTSTATE BOUND, ESTABLISHED
6 1384 ACCEPT tcp - no matter which dpt tcp dpt: ssh

OUTPUT string (ACCEPT policy 505 packets, 66607 bytes)
pkts bytes target prot opt ​​in out destination source

Chain DOCKER (2 references)
pkts bytes target prot opt ​​in out destination source
0 0 ACCEPT tcp -! Br-643d6580203c br-643d6580203c anywhere 172.18.0.2 tcp dpt: 8443

Chain DOCKER-INSULATION-STAGE-1 (1 references)
pkts bytes target prot opt ​​in out destination source
0 0 DOCKER-INSULATION-STAGE-2 all - docker0! Docker0 does not matter where anywhere
0 0 DOCKER-INSULATION-STAGE-2 all - br-643d6580203c! Br-643d6580203c anywhere from anywhere
176 32752 RETURN all - any, anywhere, any where

Chain DOCKER-INSULATION-STAGE-2 (2 references)
pkts bytes target prot opt ​​in out destination source
0 0 DROP all - n any docker0 any where anywhere
0 0 DROP all - any br-643d6580203c anywhere from anywhere
0 0 RETURN all - n anywhere, anywhere, any where

DOCKER-USER string (1 references)
pkts bytes target prot opt ​​in out destination source
176 32752 RETURN all - any, anywhere, any where

For example, static routes work. I can still access my workstation at 10.0.1.2 via port 22, but this same machine can not go out. Looking at the outgoing server traffic, it looks like a ping does not even happen, let alone in return.

I've just tried to add my rules in addition to the Docker instance running, but that did not work. The Docker documentation suggests placing items in the DOCKER-USER string, although this does not exist in the nat table. The docker documentation also suggests that I can simply disable Docker table manipulation, although I do not know how I would manually route the network to the containers.

Honestly, I do not know enough about the rules of Docker. Has anyone done this work?