Fix: Docker Bypasses UFW Firewall Rules
Docker inserts rules into the iptables DOCKER chain, which is evaluated before UFW's INPUT chain. Container ports published with -p 8080:80 are accessible from the internet even when UFW has a deny rule for that port.
The Fix — Bind to 127.0.0.1
docker-compose.yml
ports: - "127.0.0.1:8080:80" # Not 0.0.0.0:8080:80
Verify the fix
sudo iptables -L DOCKER --line-numbers # No ACCEPT rule should appear for your port from external IPs
Paste your ufw status verbose output to audit Docker bypass risk.
Open Tool →