Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Feels weird that an application is allowed to override iptables though. I get that when it’s installed with root everything’s off the table, but still…
Linux lets you do whatever you want and that’s a side effect of it, there’s nothing preventing an app from messing with things it shouldn’t.
If you give it root
It is decidedly weird, and it’s something docker handles very poorly.