The Problem
You add an nftables rule to drop traffic on port 8080. You verify the rule is active. You curl localhost:8080 anyway — and the Docker container answers. Docker just ignored your firewall.
Why Docker Bypasses nftables
Docker writes directly to iptables-legacy, creating NAT and filter rules that run before your nftables ruleset sees the packet.
# Verify Docker's iptables rules are active
sudo iptables-legacy -t nat -L DOCKER
The Fix: Disable Docker's iptables Management
{"iptables": false}
Save that to /etc/docker/daemon.json then restart Docker.
This post is an excerpt from Practical AI Infrastructure Engineering — a production handbook covering Docker, GPU infrastructure, vector databases, and LLM APIs. Full book with 4 hands-on capstone projects available at https://activ8ted.gumroad.com/l/ssmfkx
Originally published at fivenineslab.com
Top comments (0)