diff --git a/minifirewall b/minifirewall
index 320fa49..a2c4a15 100755
--- a/minifirewall
+++ b/minifirewall
@@ -51,11 +51,20 @@ BROAD='255.255.255.255'
 PORTSROOT='0:1023'
 PORTSUSER='1024:65535'
 
+chain_exists()
+{
+    local chain_name="$1" ; shift
+    [ $# -eq 1 ] && local intable="--table $1"
+    iptables $intable -nL "$chain_name" >/dev/null 2>&1
+}
+
 # Configuration
 oldconfigfile="/etc/firewall.rc"
 configfile="/etc/default/minifirewall"
 
 IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
+DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '='  -F "'" '{print $2}')
+INT=$(grep "INT=" /etc/default/minifirewall | awk -F '='  -F "'" '{print $2}')
 
 case "$1" in
  start)
@@ -114,7 +123,6 @@ $IPT -N LOG_ACCEPT
 $IPT -A LOG_ACCEPT -j LOG  --log-prefix '[IPTABLES ACCEPT] : '
 $IPT -A LOG_ACCEPT -j ACCEPT
 
-
 if test -f $oldconfigfile; then
     echo "$oldconfigfile is deprecated, rename to $configfile" >&2
     exit 1
@@ -167,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
 $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
 
 
+if [ "$DOCKER" = "on" ]; then
+
+    $IPT -N MINIFW-DOCKER-TRUSTED
+    $IPT -A MINIFW-DOCKER-TRUSTED -j DROP
+
+    $IPT -N MINIFW-DOCKER-PRIVILEGED
+    $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
+    $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
+
+    $IPT -N MINIFW-DOCKER-PUB
+    $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
+    $IPT -A MINIFW-DOCKER-PUB -j RETURN
+
+    # Flush DOCKER-USER if exist, create it if absent
+    if chain_exists 'DOCKER-USER'; then
+        $IPT -F DOCKER-USER
+    else
+        $IPT -N DOCKER-USER
+    fi;
+
+    # Pipe new connection through MINIFW-DOCKER-PUB
+    $IPT -A DOCKER-USER -i $INT -m state  --state NEW -j MINIFW-DOCKER-PUB
+    $IPT -A DOCKER-USER -j RETURN
+
+fi
+
+
 # Local services restrictions
 #############################
 
@@ -220,6 +255,64 @@ for x in $SERVICESUDP3
     done
 
 
+if [ "$DOCKER" = "on" ]; then
+
+    # Public services defined in SERVICESTCP1 & SERVICESUDP1
+    for dstport in $SERVICESTCP1
+        do
+            $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
+        done
+
+    for dstport in $SERVICESUDP1
+        do
+            $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
+        done
+
+    # Privileged services (accessible from privileged & trusted IPs)
+    for dstport in $SERVICESTCP2
+        do
+            for srcip in $PRIVILEGIEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    for dstport in $SERVICESUDP2
+        do
+            for srcip in $PRIVILEGIEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    # Trusted services (accessible from trusted IPs)
+    for dstport in $SERVICESTCP3
+        do
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    for dstport in $SERVICESUDP3
+        do
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+fi
+
 # External services
 ###################
 
@@ -325,11 +418,24 @@ trap - INT TERM EXIT
     $IPT -F ONLYTRUSTED
     $IPT -F ONLYPRIVILEGIED
     $IPT -F NEEDRESTRICT
-    $IPT -t nat -F
+    [ "$DOCKER" = "off" ] && $IPT -t nat -F
     $IPT -t mangle -F
     [ "$IPV6" != "off" ] && $IPT6 -F INPUT
     [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
 
+    if [ "$DOCKER" = "on" ]; then
+        $IPT -F DOCKER-USER
+        $IPT -A DOCKER-USER -j RETURN
+
+        $IPT -F MINIFW-DOCKER-PUB
+        $IPT -X MINIFW-DOCKER-PUB
+        $IPT -F MINIFW-DOCKER-PRIVILEGED
+        $IPT -X MINIFW-DOCKER-PRIVILEGED
+        $IPT -F MINIFW-DOCKER-TRUSTED
+        $IPT -X MINIFW-DOCKER-TRUSTED
+
+    fi
+
     # Accept all
     $IPT -P INPUT ACCEPT
     $IPT -P OUTPUT ACCEPT
@@ -384,4 +490,3 @@ trap - INT TERM EXIT
 esac
 
 exit 0
-
diff --git a/minifirewall.conf b/minifirewall.conf
index 2599124..14a973a 100644
--- a/minifirewall.conf
+++ b/minifirewall.conf
@@ -8,6 +8,12 @@ INT='eth0'
 # IPv6
 IPV6=on
 
+# Docker Mode
+# Changes the behaviour of minifirewall to not break the containers' network
+# For instance, turning it on will disable nat table purge
+# Also, we'll add the DOCKER-USER chain, in iptable
+DOCKER='off'
+
 # Trusted IPv4 local network
 # ...will be often IP/32 if you don't trust anything
 INTLAN='192.168.0.2/32'
@@ -40,6 +46,7 @@ SERVICESUDP2=''
 SERVICESTCP3='5666'
 SERVICESUDP3=''
 
+
 # Standard output IPv4 access restrictions
 ##########################################