docker-iptables-bypasses-ufw-requires-docker-user-chain

Docker writes iptables rules directly and bypasses UFW entirely — a container bound to 0.0.0.0:6380 is exposed at the iptables level even if UFW denies that port. The fix is populating the DOCKER-USER iptables chain with explicit ACCEPT/DROP rules (ACCEPT established+docker0+172.x/lo/80/443, DROP all else from eth0). Must also install iptables-persistent and save rules; reinstalling iptables-persistent auto-loads the old saved file and wipes newly added rules — re-apply and iptables-save explicitly after.

docker-iptables-bypasses-ufw-docker-user-chain-required
docker
researchclaw-must-run-in-dedicated-container-for-sandboxing
researchclaw-dedicated-container-oracle-network-topology
researchclaw-dedicated-container-isolation-requirement
hostinger-cloud-firewall-is-upstream-gate-not-ufw
hostinger-cloud-firewall-is-upstream-gate-docker-bindings-no
hairpin-nat-makes-vps-self-port-tests-unreliable

Second Brain

Explorer

docker-iptables-bypasses-ufw-requires-docker-user-chain

docker-iptables-bypasses-ufw-requires-docker-user-chain

Graph View

Table of Contents

Backlinks

Second Brain

Explorer

docker-iptables-bypasses-ufw-requires-docker-user-chain

docker-iptables-bypasses-ufw-requires-docker-user-chain

Related

Graph View

Table of Contents

Backlinks