Access to INPUT chain from rancher

I was wondering, does Rancher need any access to the host itself (INPUT chain), or are the PREROUTING rules enough for the connection between rancher and the host (i.e. the rancher containers running on it -ipsec, healthcheck and so on) to work flawlessly? If it does, what kind of access does it need? I’m only talking about connections initiated by Rancher, not by the host. i.e. we can presume that I related,established rule exists in the INPUT chain in the first position.

(The context would be rancher 1.6.25 running on ubuntu 18 with docker 18.06. The host also runs ubuntu 18 with docker 18.06