I’m not really sure how well this DANGEROUS situation is overall known but I will try to explain it just a bit here because I’m not a specialist neither in Docker, nor in Iptables nor in UFW.
If for example you install Docker in you Linux system in, for example Ubuntu 18.x, and want to use UFW as firewall to block access from Internet to some internal ports offered by Docker Containers, you’re up for a bad surprise. Docker uses firewall rules which are seen Before the normal INPUT filter Iptables chains. The result is that all the ports offered by containers running in Docker are visible from Internet even if you blocked them in UFW firewall. That is a very dangerous situation where not-so-well-protected ports in docker containers could easily get hacked.
Although the issue is discussed in depth in the following forum:
the quick and dirty solution is the following:
Note: Please read this forum since the implications of doing so might break some inter-workings of your Docker containers.
On Ubuntu 18.04 things are different, because docker is started by systemd, so
/etc/default/dockeris ignored. The solution described here creates the file /etc/systemd/system/multi-user.target.wants/docker.service with this content
[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false
systemctl daemon-reload afterwards.
Note: If you know of a more elegant solution, please send it as a comment and will be glad to include it here.