I am installing Docker Desktop on my Debian 12 computer, but first I need to install Docker Engine. I’ve understood everything about setting up Docker Desktop and Docker Engine, except for one crucial aspect, the Firewall limitations in the “Install Docker Engine on Debian” documentation.

This is what I have gathered and understood so far:

• When Docker exposes container ports, it does not honor the rules or configurations set by ufw (Uncomplicated Firewall) or by firewalld. This means that even if I set up a specific rule, for example with ufw, Docker can still expose those ports, bypassing my firewall rules.

• Firewall rules should be created using iptables or ip6tables and added to the DOCKER-USER chain.

Here is the part where my confusion begins:

• What does “only compatible with iptables-nft and iptables-legacy” mean here exactly? I need some elaboration here since the next sentence then says: “Firewall rules created with nft are not supported on a system with Docker installed.”

• Should I install iptables-nft and set it up before installing the Docker Engine? Or does it not matter?

  • In Packet filtering and firewalls and it says that “Docker creates iptables and ip6tables rules to implement network isolation, port publishing and filtering.” Does that mean iptables gets installed and configured automatically when installing Docker?

Any clarification or help will be greatly appreciated, thank you.
I apologize in advance if the wording of my understanding and questioning isn’t the best. I do have some experience with Docker before but I am still a beginner. The biggest project I’ve ever worked on was installing Docker Engine through ssh on a Raspberry Pi to setup Pi-hole.

By default, Docker updates firewall rules to open the ports you set with -p or ports: to be listened to on the host (when starting the container). It is possible to completely disable this functionality (doc, “iptables”).

About the tech details others are more knowledgeable than me