Clarify that ipmasq rules are not added when iptables is false

Signed-off-by: Misty Stanley-Jones <misty@docker.com>
(cherry picked from commit db3f06fd97)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

docs/reference/commandline/dockerd.md

@@ -1271,9 +1271,13 @@ set this parameter separately for each daemon.
 pid file here.
 - `--host=[]` specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to `/var/run/docker.sock`.
 -  `--iptables=false` prevents the Docker daemon from adding iptables rules. If
-  multiple daemons manage iptables rules, they may overwrite rules set by
+multiple daemons manage iptables rules, they may overwrite rules set by another
-  another daemon. Be aware that disabling this option requires you to manually
+daemon. Be aware that disabling this option requires you to manually add
-  add iptables rules to expose container ports.
+iptables rules to expose container ports. If you prevent Docker from adding
+iptables rules, Docker will also not add IP masquerading rules, even if you set
+`--ip-masq` to `true`. Without IP masquerading rules, Docker containers will not be
+able to connect to external hosts or the internet when using network other than
+default bridge.
 - `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored. You can use it instead of
 daemon flags. Specify the path for each daemon.
 - `--tls*` Docker daemon supports `--tlsverify` mode that enforces encrypted and authenticated remote connections.