Fix: Port Still Exposed After Adding UFW Deny Rule (Docker)
This is the Docker UFW bypass problem. After running sudo ufw deny 5432, PostgreSQL in a Docker container is still reachable externally because Docker manages the FORWARD chain, not the INPUT chain that UFW controls.
Correct fix — bind container to localhost
# In docker-compose.yml:
services:
postgres:
ports:
- "127.0.0.1:5432:5432" # Not 5432:5432Or use DOCKER-USER chain rule
sudo iptables -I DOCKER-USER -p tcp --dport 5432 -j DROP sudo iptables -I DOCKER-USER -p tcp --dport 5432 -s 127.0.0.1 -j ACCEPT sudo apt install iptables-persistent && sudo netfilter-persistent save
Paste your ufw status verbose to audit all Docker-exposed ports.
Open Tool →