Docker container not accessible through server public IP (working only with UFW disabled)

Question

I bought a VPS on Vultr (host system Ubuntu 22.04) with the example IP identified as 123.123.123 and tried to launch a new container with the following command:

docker run -d -p 8081:80 nginx:alpine

Knowing the public IP of my server, I should theoretically be able to access it through the following address in the browser http://123.123.123:8081. However, it isn't working at least publicly. Because if I decide to stop UFW in the host (using Ubuntu 22.04):

service ufw stop

Then I'm able to access it without any problem (or using cURL through SSH without disabling UFW):

But, after enabling the uncomplicated firewall with:

service ufw start

Then the host is unreachable:

These are the current rules of UFW:

I have as well a Portainer instance through docker as well (which works as well only when UFW is disabled):

I tried as well using Nginx Proxy Manager, but I'm unable to make it work with something so simple as this nginx basic container. Any help is appreciated and I'd be happy to provide more information if it's necessary.

Answer 1

Surprisingly, Docker does not work out of the box with Linux’s “Universal Firewall,” or UFW. They both modify the same iptables configuration, and this can lead to misconfigurations exposing containers that weren’t supposed to be public.

A quick fix from Docker's official documentation - but which isn't recommended for most users - and it seems not recommended by many other users. Please read more about that below.

Prevent Docker from manipulating iptables

It is possible to set the iptables key to false in the Docker engine’s configuration file at /etc/docker/daemon.json, but this option is not appropriate for most users. It is not possible to completely prevent Docker from creating iptables rules, and creating them after-the-fact is extremely involved and beyond the scope of these instructions. Setting iptables to false will more than likely break container networking for the Docker engine.

This works, however, this is only a half solution. It disables Docker’s ability to manage its own networking and can cause containers to not be able to access the internet at all out of the box. This can still work, but you’ll need to manually maintain iptables rules for Docker containers and custom networks, which is complicated, annoying, and defeats the purpose of UFW’s simplicity.

Another solution which require a bit more effort could be found in this Github repo detailing the problem and the steps to fix it. https://github.com/chaifeng/ufw-docker

Also linking here a related question from StackOverflow.