That’s a separate situation, albeit related. That’s connections coming in from the outside and Docker adds rules to allow exposed ports through.
I’m not enormously familiar with netfilter/iptables chain rules but I believe the above is showing:
- If the connection is coming in from
docker0, i.e. from the default docker network, return to the previous chain (stop processing rules in that chain). - Otherwise if the connection is coming in from anything except
docker0, if it’s also https or http, specify DNAT causing it to move on to the FORWARD chain.
So with the arrangement shown in the other topic, what happens is that if https or http traffic comes in from outside, it gets directed in to docker. If the traffic comes from the docker network however, it will be returned and rejected or dropped by the INPUT chain.
What ufw allow https does is adds a rule to the INPUT chain accepting it. That way when the connection is returned to the INPUT chain as above, it will be accepted and find docker listening, ultimately being routed to the container.