@Larvitz I think your explanation of the docker behavior is incorrect. Port publishing using `-p` starts a docker-proxy userspace program on the host that listens on the specified port (effecting the input chain) and forwards the traffic to the container (using the output chain).
Using forwarding (with prerouting nat) instead could be faster.
The docker-proxy behavior enables port configurations like `127.0.0.1:80:8080`.