If you’re networking to the outside world, Docker behaves as if the request was coming from the host machine. But if you want to access processes that are running on the host, your firewall may need some extra configuration.

The Solution: Add a Firewall Rule for 172.18.0.0/16

If you’ve just tried to access a process running on the host machine like an HTTP service, you might have gotten blocked. This is because even though Docker containers run on the host, they use some special networking under the hood to keep them logically separated, and because of that they have different IP addresses.

You can see this when running ifconfig, you’ll see your standard network interface, but also the docker0 interface. By default, Docker uses the 172.18.0.0/16 block to allocate container IP addresses.

The fix is very simple—open this port range in your firewall. Requests from the IP range Docker uses are likely getting blocked. It’s a private IP address range, so there’s minimal risk in having it open. For UFW, that would be:

Optionally specifying a port to open:

For iptables, that would be:

For managed hosting services like AWS, you may not need to change anything—security groups are network firewalls that sit in front of instances, and shouldn’t affect internal traffic.