Securing RKE clusters with UFW

I’ve got a HA Rancher setup using RKE. I’m using an external nginx load balancer with communication over a private network. If i leave ufw disabled on the rancher server machines then the load balancer is able to route traffic to the rancher server.

However I’d like to secure those machines a little by disabling all incoming traffic over the WAN and only enabling private network traffic. So far i’ve got:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow in on [private network interface]

When enabled this setup stop the load balancer routing traffic. I can see in the UFW logs that there are no blocks for my private network interface.

I’ve also tried allow all traffic in on docker0 and flannel.1 to rule those out, although not sure if the calico interfaces need to be allowed as well because traffic just stops getting to the rancher server contains.

I have the forward policy set to accept.

Have I missed something setting up routing between the container networks and the host?

What does “sudo ufw status numbered” show?