iptables: Docker bypasses firewall rules

Fix Docker containers bypassing iptables or UFW firewall rules by modifying Docker daemon network settings.

iptables: Docker bypasses firewall rules
When iptables Produces This Error
What Causes Docker to Bypass iptables Rules
How to Fix Docker Bypassing Firewall Rules

iptables: Docker bypasses firewall rules

Docker containers bypass iptables and UFW firewall rules because Docker inserts its own FORWARD chain rules with higher priority.

When iptables Produces This Error

UFW or iptables rules block a port (e.g., port 8080), but a Docker container bound to that port is accessible from the internet. The firewall appears to have no effect on Docker-published ports.

What Causes Docker to Bypass iptables Rules

Docker manipulates iptables directly by adding rules to the FORWARD chain and creating a DOCKER chain. These rules are inserted before user-defined rules, allowing traffic to published container ports regardless of INPUT chain restrictions.

How to Fix Docker Bypassing Firewall Rules

Configure the Docker daemon to not manipulate iptables by adding to /etc/docker/daemon.json:
```
{
  "iptables": false
}
```
Restart Docker:
```
sudo systemctl restart docker
```
Manage container port access manually with iptables FORWARD rules.

Alternatively, bind containers to 127.0.0.1 instead of 0.0.0.0 and use a reverse proxy (Nginx) to control external access:

docker run -p 127.0.0.1:8080:80 myapp

For a detailed discussion of Docker and UFW interaction, see the UFW troubleshooting: Docker bypasses UFW rules.