Add internet forwarding rules to chain DOCKER-USER instead of chain FORWARD

[mtreinik]

• Chain FORWARD can contain Docker's DOCKER-FORWARD rules that accepts anything, so the forwarding rules never takes effect
• DOCKER-USER is meant for policies like this that must run before Docker's own forwarding rules
• Return error if chain DOCKER-USER doesn't exist

Also:

• better logging of forwarded traffic: also log forwarded DNS queries and their responses and IP addresses added to ipset
• reduce TTL of dnsmasq DNS cache, because Microsoft servers have really short TTLs