Hi, I have enabled the experimental nftables support that comes with Docker v29. Everything works for the most part. I stop using iptables and ufw.

Docker add its own nftables chains and rules separately from those in my /etc/nftables. But, as I understand about nftables, a drop rule will always drop a packet no matter which chain it is in.

I want to block a port that is opened by Docker compose, say 3000:8080, from the outside world. I added a forward chain with a rule to drop everything in /etc/nftables, then restart both nftables and Docker service. But it doesn’t seem to work as intended. The port is still reachable.

Would anyone know how I can build a firewall with nftable to block opened ports? (I understand that I can simply not open the port or restrict it to 127.0.0.1:3000. But for the sake of security, having a firewall is nice)

That may be true, but why would you open a port just to close it with another rule? Unless you want to allow access from a specific network on a machine whch is connected to two different networks directly, I would just simply not open the port. For example on a developer PC.

I’m not a security guy, and although I know about principles like “least privilege”, I often see firewalls in front of Docker hosts, not on them while ports are opened only when needed on Docker hosts (or Kubernetes) in their own dedicated network and only specific people get access to a specific port of that network

That said, if you need help with nftables, I recommend sharing how you tried to configure it. Since I have not worked with nftables yet, I would also like to learn with you if anyone shares a solution.