Fix: nftables and Docker Conflict on Linux

Docker writes iptables rules using the nft-compat layer on nftables systems. Conflicts arise when user nftables rules and Docker's iptables rules interact unexpectedly — containers can't reach the internet, or firewall rules are silently bypassed.

Option 1: Configure Docker to use iptables-legacy

# /etc/docker/daemon.json
{
  "iptables": true
}
# Then ensure iptables-legacy is the default:
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo systemctl restart docker

Option 2: Allow Docker forwarding in nftables

# Add to nftables.conf forward chain:
chain forward {
  type filter hook forward priority 0; policy drop;
  # Allow Docker container traffic:
  oifname "docker0" accept
  iifname "docker0" accept
}

Paste your ufw status verbose to audit firewall rules.

Open Tool →

Fix: nftables and Docker Conflict on Linux

Related Glossary Terms