Docker and NAT to LAN on the same machine using iptables

I have been using iptables on my lab server (Ubuntu 18.04) to perform NAT on the rest of the devices in my network for a while:

-t nat -A PREROUTING -i eno1 -p tcp -m tcp -dport 23 -j DNAT - to-destination 10.0.1.2:22
-t nat -A POSTROUTING -o eno1 -j MASQUERADE

-A FORWARD -s 10.0.0.0/24 -i eno2 -o eno1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2 -p tcp -m tcp --dport 22 -j ACCEPT

In the past, it has worked very well. However, it broke when I installed Docker. This is almost certainly because Docker rewrote all the rules of my iptables. By default, some of my rules survive:

% sudo iptables -t nat -v -L
PREROUTING string (ACCEPT policy 257 packets, 36440 bytes)
pkts bytes target prot choose in the destination of origin
6 1384 DNAT tcp - eno1 anywhere anywhere tcp dpt: telnet a: 10.0.1.2: 22
133 8676 DOCKER all: anyone, anywhere, anywhere, ADDRTYPE, that matches dst-type LOCAL

ENTRY of the chain (policy ACCEPT 122 packets, 8474 bytes)
pkts bytes target prot choose in the destination of origin

DEPART chain (policy ACCEPTS 42 packets, 3008 bytes)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER all - any any any! 127.0.0.0/8 ADDRTYPE matches dst-type LOCAL

POSTROUTING chain (ACCEPT policy 21 packages, 2395 bytes)
pkts bytes target prot choose in the destination of origin
0 0 MASQUERADE all - any! Docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE all - any! Br-643d6580203c 172.18.0.0/16 anywhere
39 2900 MASQUERADE all - any eno1 anywhere
0 0 MASQUERADE tcp - anyone 172.18.0.2 172.18.0.2 tcp dpt: 8443

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 RETURN to all - docker0 anywhere and everywhere
0 0 BACK to all - br-643d6580203c anywhere and everywhere
0 0 DNAT tcp -! Br-643d6580203c anywhere anywhere tcp dpt: https to: 172.18.0.2: 8443

% sudo iptables -v -L
INPUT of the chain (ACCEPT policy 600 packets, 44910 bytes)
pkts bytes target prot choose in the destination of origin

FORWARD chain (DROP policy 135 packages, 27966 bytes)
pkts bytes target prot choose in the destination of origin
176 32752 DOCKER-USER all - anywhere and everywhere
176 32752 DOCKER-ISOLATION-STAGE-1 all - anywhere and everywhere
0 0 ACCEPT everything: any docker0 anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any docker0 anywhere
0 0 ACCEPT everything: docker0! Docker0 anywhere
0 0 ACCEPT everything - docker0 docker0 anywhere
0 0 ACCEPT everything: any br-643d6580203c anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any br-643d6580203c anywhere
0 0 ACCEPT all - br-643d6580203c! Br-643d6580203c anywhere in any place
0 0 ACCEPT all - br-643d6580203c br-643d6580203c anywhere, anywhere
0 0 ACCEPT everything - eno2 eno1 10.0.0.0/24 anywhere ctstate NEW
23 2682 ACCEPT all - any anywhere ctstate RELATED, ESTABLISHED
6 1384 ACCEPT tcp - anyone anywhere dione tcp dpt: ssh

Chain output (ACCEPT policy packets 505, 66607 bytes)
pkts bytes target prot choose in the destination of origin

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 ACCEPT tcp -! Br-643d6580203c br-643d6580203c anywhere 172.18.0.2 tcp dpt: 8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER-ISOLATION-STAGE-2 all - docker0! Docker0 anywhere, anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all - br-643d6580203c! Br-643d6580203c anywhere and anywhere
176 32752 RETURN everything - anyone, anywhere, anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot choose in the destination of origin
0 0 DROP all - any docker0 anywhere in any place
0 0 DROP all - any br-643d6580203c anywhere
0 0 RETURN to all - anyone anywhere, anywhere

DOCKER-USER chain (1 references)
pkts bytes target prot choose in the destination of origin
176 32752 RETURN everything - anyone, anywhere, anywhere

For example, static routes work. I can still access my workstation in 10.0.1.2 through port 22, but that same machine can not exit. Looking at the traffic that leaves the server, it seems that a ping is not even doing it, much less back.

I tried to simply add my rules back to the top of the running Docker instance, but that did not work. The documentation for Docker suggests putting things in the DOCKER-USER chain, although that does not exist in the nat table. The docker documentation also suggests that I can disable Docker's table manipulation, although I do not know how to manually route the network to the containers.

Honestly, I do not know enough about Docker's rules. Has anyone done this work?