Ubuntu – Can’t access docker bind port from public IP

I've run portainer image using:

docker run -d -P -p 9000:9000 portainer/portainer

But can only access the web at port 9000 locally using lynx.
I allow firewall on port 9000 both incoming and outgoing, so that shouldn't be the problem.

$sudo iptables -t filter -L -n -v | grep 9000
0 0 ACCEPT tcp — !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000

But I have hard time interpreting NAT table, which may be the suspect.

$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 7 packets, 420 bytes) pkts bytes target prot opt in out
source destination 415 24676 DOCKER all
— * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1 packets, 60 bytes) pkts bytes target
prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target
prot opt in out source destination
0 0 DOCKER all — * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes
target prot opt in out source destination

0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:9000

Chain DOCKER (2 references) pkts bytes target prot opt in out
source destination
0 0 RETURN all — docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp — !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000

Can anyone help me out here?

Update1:

I tried the same command on another Ubuntu server with the same docker version but it works. The only difference in NAT table after run & bind the container is a record of POSTROUTING that says,

pkts bytes target prot opt in out source destination
0 0 MASQUERADE all — * eth0 10.0.0.0/8 0.0.0.0/0

But I think this may not be related, or is it?

Ubuntu 16.04
Docker version 17.05.0-ce, build 89658be