diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml
index e2fbf91618..3a2e70dc6b 100644
--- a/ansible/roles/baremetal/tasks/install.yml
+++ b/ansible/roles/baremetal/tasks/install.yml
@@ -46,6 +46,26 @@
   changed_when: false
   register: running_containers
 
+# APT starts Docker engine right after installation, which creates
+# iptables rules before we disable iptables in Docker config
+
+- name: Check if docker systemd unit exists
+  stat:
+    path: /etc/systemd/system/docker.service
+  register: docker_unit_file
+
+- name: Mask the docker systemd unit on Debian/Ubuntu
+  file:
+    src: /dev/null
+    dest: /etc/systemd/system/docker.service
+    owner: root
+    group: root
+    state: link
+  become: true
+  when:
+    - ansible_os_family == 'Debian'
+    - not docker_unit_file.stat.exists
+
 - name: Install apt packages
   package:
     name: "{{ (debian_pkg_install | join(' ')).split() }}"
@@ -78,10 +98,11 @@
     # At some point (at least on CentOS 7) Docker CE stopped starting
     # automatically after an upgrade from legacy docker . Start it manually.
     - name: Start docker
-      service:
+      systemd:
         name: docker
         state: started
         enabled: yes
+        masked: no
       become: True
 
     - name: Wait for Docker to start
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index 28271b9a63..3d1123ba86 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -224,22 +224,25 @@
   when: create_kolla_user | bool
 
 - name: Start docker
-  service:
+  systemd:
     name: docker
     state: started
+    masked: no
   become: True
 
 - name: Restart docker
-  service:
+  systemd:
     name: docker
     state: restarted
+    masked: no
   become: True
   when: docker_configured.changed or docker_reloaded.changed
 
 - name: Enable docker
-  service:
+  systemd:
     name: docker
     enabled: yes
+    masked: no
   become: True
 
 - name: Warn about deprecations
diff --git a/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml
new file mode 100644
index 0000000000..6073ed7b15
--- /dev/null
+++ b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed an issue when Docker was configured after startup on Debian/Ubuntu,
+    which resulted in iptables rules being created - before they were disabled.
+    `LP#1923203 <https://launchpad.net/bugs/1923203>`__