diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 1b23b6416bba3d63dec573f6c5b5788ac09f18c0..fac4d019079c8f466582083fbae1f49994426081 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -103,7 +103,7 @@ docker_runtime_directory: ""
 docker_client_timeout: 120
 
 # Docker networking options
-docker_disable_default_iptables_rules: "no"
+docker_disable_default_iptables_rules: "yes"
 docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
 
 # Retention settings for Docker logs
diff --git a/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml b/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fc3a909835a7ad7cf9b5a4d8d9f672563b492e03
--- /dev/null
+++ b/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Docker iptables manipulation and bridge networking are now disabled by
+    default. This avoids problems that may be caused by Docker settings the
+    default policy of the ``FORWARD`` chain in the ``filter`` table to
+    ``DROP``. To revert to the previous behaviour, set
+    ``docker_disable_default_iptables_rules`` to ``no``. This sets the default
+    of ``docker_disable_default_network``.