diff --git a/drivers/bridge/setup_ip_tables.go b/drivers/bridge/setup_ip_tables.go
index 5865a18f18..c797a678f9 100644
--- a/drivers/bridge/setup_ip_tables.go
+++ b/drivers/bridge/setup_ip_tables.go
@@ -13,6 +13,7 @@ import (
 // DockerChain: DOCKER iptable chain name
 const (
 	DockerChain = "DOCKER"
+	DockerInputChain = "DOCKER-INPUT"
 	// Isolation between bridge networks is achieved in two stages by means
 	// of the following two chains in the filter table. The first chain matches
 	// on the source interface being a bridge network's bridge and the
@@ -58,6 +59,18 @@ func setupIPChains(config *configuration) (*iptables.ChainInfo, *iptables.ChainI
 		}
 	}()
 
+	_, err = iptables.NewChain(DockerInputChain, iptables.Filter, false)
+	if err != nil {
+		return nil, nil, nil, nil, fmt.Errorf("failed to create INPUT chain %s: %v", DockerInputChain, err)
+	}
+	defer func() {
+		if err != nil {
+			if err := iptables.RemoveExistingChain(DockerInputChain, iptables.Filter); err != nil {
+				logrus.Warnf("failed on removing iptables INPUT chain %s on cleanup: %v", DockerInputChain, err)
+			}
+		}
+	}()
+
 	isolationChain1, err := iptables.NewChain(IsolationChain1, iptables.Filter, false)
 	if err != nil {
 		return nil, nil, nil, nil, fmt.Errorf("failed to create FILTER isolation chain: %v", err)
@@ -82,7 +95,11 @@ func setupIPChains(config *configuration) (*iptables.ChainInfo, *iptables.ChainI
 		}
 	}()
 
-	if err := iptables.AddReturnRule(IsolationChain1); err != nil {
+	if err := iptables.AddReturnRule(DockerInputChain); err != nil {
+		return nil, nil, nil, nil, err
+	}
+
+        if err := iptables.AddReturnRule(IsolationChain1); err != nil {
 		return nil, nil, nil, nil, err
 	}
 
@@ -90,6 +107,10 @@ func setupIPChains(config *configuration) (*iptables.ChainInfo, *iptables.ChainI
 		return nil, nil, nil, nil, err
 	}
 
+	if err := iptables.ProgramRule(iptables.Filter, DockerInputChain, iptables.Insert, []string{"-m", "conntrack", "--ctstate", "INVALID", "-j", "DROP"}); err != nil {
+		return nil, nil, nil, nil, err
+	}
+
 	return natChain, filterChain, isolationChain1, isolationChain2, nil
 }
 
@@ -149,6 +170,13 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt
 		n.portMapper.SetIptablesChain(natChain, n.getNetworkBridgeName())
 	}
 
+	d.Lock()
+	err = iptables.EnsureJumpRule("INPUT", DockerInputChain)
+	d.Unlock()
+	if err != nil {
+		return err
+	}
+
 	d.Lock()
 	err = iptables.EnsureJumpRule("FORWARD", IsolationChain1)
 	d.Unlock()
@@ -321,10 +349,14 @@ func removeIPChains() {
 	// Remove obsolete rules from default chains
 	iptables.ProgramRule(iptables.Filter, "FORWARD", iptables.Delete, []string{"-j", oldIsolationChain})
 
+	// Remove possibly installed references to chains
+	iptables.ProgramRule(iptables.Filter, "INPUT", iptables.Delete, []string{"-j", DockerInputChain})
+
 	// Remove chains
 	for _, chainInfo := range []iptables.ChainInfo{
 		{Name: DockerChain, Table: iptables.Nat},
 		{Name: DockerChain, Table: iptables.Filter},
+		{Name: DockerInputChain, Table: iptables.Filter},
 		{Name: IsolationChain1, Table: iptables.Filter},
 		{Name: IsolationChain2, Table: iptables.Filter},
 		{Name: oldIsolationChain, Table: iptables.Filter},