Where 172.17.0.0 is my docker0 interface's network.
Of course I don't know what happens on next docker or ufw update, or whether there's a better way to make ufw aware of those DOCKER chains.
What I know for sure is that adding `ufw deny in on docker0` has no effect, which is odd.
The workaround I use, while a bit fragile, is like so:
1. disable docker's iptables updates by adding this to /etc/docker/ daemon. json: {"iptables": false}
2. change DEFAULT_ FORWARD_ POLICY to "ACCEPT" in /etc/default/ufw
3. finally, add the following lines at the top of /etc/ufw/ before. rules:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT
Where 172.17.0.0 is my docker0 interface's network.
Of course I don't know what happens on next docker or ufw update, or whether there's a better way to make ufw aware of those DOCKER chains.
What I know for sure is that adding `ufw deny in on docker0` has no effect, which is odd.