Can't reach Docker container from other Docker container through host IP

I got a server running a Wireguard VPN on 10.0.1.254/24 and Docker is running on 172.17.0.1/16.

My docker-compose.yaml looks like this (simplified):

services:
  container_a:
    image: nginx:latest
    ports:
      - '10.0.1.254:80:80'

  container_b:
    image: alpine:latest

Now, I can reach nginx using wget http://10.0.1.254 on the host. I can also reach it the same way from a VPN peer (e.g. 10.0.1.1). But when I try to do this from within another Docker container (e.g. docker compose exec container_b wget http://10.0.1.254) I get a timeout. However, I can ping the host (docker compose exec container_b ping 10.0.1.254).

My guess is that this has something to do with the way Docker maps ports on the host. But I can't find much information about this. Does anyone know why this doesn't work?

Turns out I still had UFW installed, which was configured to allow incoming connection to this port on the wg0 interface. But the system was smart enough to take a shortcut, directly from one virtual Docker interface to the other, bypassing this ACCEPT rule for the wg0 interface.

I figured this out by using tail +1f /var/log/ufw.log, and then running the failing wget command from the other Docker container.

In my case the solution was to simply disable UFW (sudo ufw disable), as I'm not using it anyway.