diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper
index c225ceb..20bf38d 100644
--- a/bundles/docker-engine/files/docker-wrapper
+++ b/bundles/docker-engine/files/docker-wrapper
@@ -18,6 +18,7 @@ PGID="$(id -g "docker-${name}")"
 if [ "$ACTION" == "start" ]
 then
     docker run -d \
+        --rm \
         --name "${name}" \
         --env "PUID=$PUID" \
         --env "PGID=$PGID" \
@@ -25,9 +26,8 @@ then
 % for k, v in sorted(environment.items()):
         --env "${k}=${v}" \
 % endfor
-        --network host \
 % for host_port, container_port in sorted(ports.items()):
-        --expose "127.0.0.1:${host_port}:${container_port}" \
+        --publish "127.0.0.1:${host_port}:${container_port}" \
 % endfor
 % for host_path, container_path in sorted(volumes.items()):
         --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \
@@ -38,7 +38,6 @@ then
 elif [ "$ACTION" == "stop" ]
 then
     docker stop "${name}"
-    docker rm "${name}"
 
 else
     echo "Unknown action $ACTION"
diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py
index fa55b5e..39cc92f 100644
--- a/bundles/docker-engine/metadata.py
+++ b/bundles/docker-engine/metadata.py
@@ -18,6 +18,19 @@ defaults = {
             '/var/opt/docker-engine',
         },
     },
+    'nftables': {
+        'forward': {
+            'docker-engine': [
+                'ct state { related, established } accept',
+                'iifname docker0 accept',
+            ],
+        },
+        'postrouting': {
+            'docker-engine': [
+                'iifname docker0 masquerade',
+            ],
+        },
+    },
     'hosts': {
         'entries': {
             '172.17.0.1': {