For some reason the powers that be at Docker have decided that with version 1.12 (or perhaps earlier, I don't track how lax I get between versions), the approach of using a SystemD override file for IPTABLES no longer works. At least, that is true if like me you had DOCKER_OPTS="--iptables=false" in /etc/systemd/system/docker.service.d/noiptables.conf.

Instead you now have to use environment variables rather than command-line-style parameters, so it is more along the lines of DOCKER_IPTABLES=false rather than --iptables=false. Still, this didn't work and it appeared that from some SystemD digging that the default Docker Systemd config file ignores my override file anyway.

It turns out the solution is explained (not obviously) here (no at the time of writing there is no FQDN, just an IP):

http://54.71.194.30:4110/engine/reference/commandline/daemon/

You must manually modify /etc/docker/daemon.json, which is a file that the Docker daemon DOES check at startup. Ensure there is a line there with "iptables": false. However since these are effectively default behaviour overrides, you can get away with just that in the file. So my file looks like:

{ "iptables": false }

Then reboot the docker daemon. I guess in hindsight that is a much easier way of doing it and is better for other overrides going forward, but they did an excellent job of informing their long-standing users of the changes.