Docker uses it's own iptables rules which have priority over the system ones. Therefore, even if you have an iptables-based firewall blocking all ports, a docker service will still be reachable, unless configured not to be in docker itself.
I do not understand what you mean by "priority over the system ones"
A docker container can have internal ports exposed explicitly, or use host networking. In any case these are ports exposed by the docker-proxy executable - an executable like any other on the system.
Then come the iptables rules of the system (which open or not data flow to the ports exposed by docker-proxy).
Taking precedence was not the ideal word - it uses the same ip tables, but it inserts its own table as the first one. Therefore it 'ignores' system rules, which might come at a surprise.
