diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 1b23b6416b..fac4d01907 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -103,7 +103,7 @@ docker_runtime_directory: ""
 docker_client_timeout: 120
 
 # Docker networking options
-docker_disable_default_iptables_rules: "no"
+docker_disable_default_iptables_rules: "yes"
 docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
 
 # Retention settings for Docker logs
diff --git a/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml b/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml
new file mode 100644
index 0000000000..fc3a909835
--- /dev/null
+++ b/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Docker iptables manipulation and bridge networking are now disabled by
+    default. This avoids problems that may be caused by Docker settings the
+    default policy of the ``FORWARD`` chain in the ``filter`` table to
+    ``DROP``. To revert to the previous behaviour, set
+    ``docker_disable_default_iptables_rules`` to ``no``. This sets the default
+    of ``docker_disable_default_network``.