I'm a big fan of both dokku and firehol. Dokku has made my deployments of simple apps near trivial, and firehol is my goto[sic] iptables firewall. My problem is that they don't play well together. I don't think it's dokku's fault, I think the underlying problem is with firehol and docker, but that doesn't really matter to me.
I just upgraded docker, dokku, and iptables on the server I was running, and my firehol configuration stopped working. I don't know why, and I don't care. In the end, this is what worked for me:
What's strange to me is that I need to have the manual DOCKER and DOCKER-ISOLATION chains at the bottom of the configuration, even though to my eyes they don't do anything. My machine does appear to be appropriately secured at the IP packet level though, so I'm happy.
I will talk to some people and see if they know why this is required, though.