With VMware Workstation these rules work fine, however, it doesn't use nat and forward for work.
Docker is not virtualization. And it adds its own rules to the firewall:
But I think the problem within conntrack, which not tracking state for forward. If I add the state "new", all work fine...