Why does Docker bypass UFW?

Docker manipulates iptables directly, inserting rules before UFW's rules. This means Docker-published ports are accessible even if UFW blocks them. Set iptables: false in Docker daemon config to prevent this.

How do I allow traffic from a specific IP only?

sudo ufw allow from 192.168.1.100 to any port 22 proto tcp. This allows SSH only from that IP. Combine with denying port 22 from other sources for IP-restricted access.

UFW Firewall Errors — Rules Not Working and Port Configuration Guide

Warningnetwork

Overview

Fix UFW (Uncomplicated Firewall) errors on Ubuntu including rules not applying, Docker bypassing UFW, and proper port configuration for services.

Key Details

UFW is the default firewall interface on Ubuntu and Debian, wrapping iptables/nftables
UFW must be explicitly enabled: sudo ufw enable (disabled by default on many installations)
Default policy: deny incoming, allow outgoing — must explicitly allow needed ports
Docker modifies iptables directly, bypassing UFW rules — a major security concern
UFW application profiles in /etc/ufw/applications.d/ define named service rules

Common Causes

UFW not enabled (disabled by default on fresh Ubuntu installations)
Rule order: UFW processes rules top-to-bottom, first match wins
Docker inserting iptables rules that bypass UFW's deny rules
IPv6 not configured: UFW defaults to IPv4 only unless IPV6=yes in /etc/default/ufw
Application profile not matching the actual port the service is using

Steps

1Enable UFW: sudo ufw enable (will not disconnect SSH if you allow it first)
2Allow SSH first: sudo ufw allow ssh (or sudo ufw allow 22/tcp) before enabling
3Allow a port: sudo ufw allow 80/tcp and sudo ufw allow 443/tcp for web
4Check status: sudo ufw status verbose to see all rules and default policies
5Fix Docker bypass: edit /etc/docker/daemon.json: {"iptables": false} (then manage Docker ports manually)
6Delete a rule: sudo ufw delete allow 80/tcp or sudo ufw delete <rule-number> (from ufw status numbered)