By default Docker daemon(dockerd) starts in an ‘open’ mode where all the advertised ports from docker are open for access from internet NO MATTER if the Linux system has a firewall that limits the access. That is because dockerd does give access to the ports at a lower level which ignored any firewall.
In order to be able to limit access to advertised ports on a docker server using a normal Linux firewall like UFW, dockerd needs to be started with the option:
eg. In Systemd start/stop script:(/etc/systemd/system/multi-user.target.wants/docker.service)
ExecStart=/usr/bin/dockerd --iptables=false -H fd:// --containerd=/run/containerd/containerd.sock
BUT this method does have some drawbacks: It prevents the containers to issue a new network connection to Internet from within the containers.
That can be very debilitating for some containers. One of the solution to this limitation is to do the following:
to the docker-compose.yml to each service in containers that are started by compose.