How to Block Docker Ports with nftables Without Getting Bypassed

You add an nftables rule to drop traffic on port 8080. You check the ruleset — it's active. You curl localhost:8080 from outside the host, and the Dockerized API responds anyway. Your firewall just got ignored. This isn't a configuration mistake. Docker deliberately writes its own iptables rules that execute before nftables ever sees the packet. If you're running GPU inference services, internal LLM APIs, or any container that shouldn't be internet-facing, this behavior is a production security gap. Why Docker Bypasses Your Firewall Docker manipulates iptables-legacy directly, inserting DNAT rules in the nat table and ACCEPT rules in the filter table. These rules redirect incoming traffic to container IPs before your nftables ruleset runs. Check what Docker created: sudo iptables-legacy -t nat -L DOCKER -n -v sudo iptables-legacy -t filter -L DOCKER -n -v You'll see entries like: DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.17.0.2:8080 The packet gets rewritten and forwarded