Comment 1 for bug 1717648

The workaround I use, while a bit fragile, is like so:

1. disable docker's iptables updates by adding this to /etc/docker/daemon.json: {"iptables": false}

2. change DEFAULT_FORWARD_POLICY to "ACCEPT" in /etc/default/ufw

3. finally, add the following lines at the top of /etc/ufw/before.rules:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT

Where 172.17.0.0 is my docker0 interface's network.

Of course I don't know what happens on next docker or ufw update, or whether there's a better way to make ufw aware of those DOCKER chains.
What I know for sure is that adding `ufw deny in on docker0` has no effect, which is odd.