お世話になっております。
DockerコンテナでRocket.Chatを起動しています。
ホストOS（Debian）でUFWでin,outすべてALL拒否しているのにも関わらず、
Rockt.Chatにアクセスできてしまいます。（これを止めたい）
http://ホストIPアドレス:3000/
PC → Rocket.Chatコンテナ

PC → ホストOS → NGINX（リバプロ）→ Rocket.Chatコンテナとしたいのですが、
UFWをすり抜けるため解決方法を模索していますが見つからずご質問させていただきました。

設定内容
docker-compose.yml（Rocket.Chat）

version: '2'

services:
rocketchat:
image: registry.rocket.chat/rocketchat/rocket.chat:latest
command: >
bash -c
"for i in seq 1 30; do
node main.js &&
s=$$? && break || s=$$?;
echo "Tried $$i times. Waiting 5 secs...";
sleep 5;
done; (exit $$s)"
restart: unless-stopped
volumes:
- ./uploads:/app/uploads
environment:
- PORT=3000
- ROOT_URL=http://localhost:3000
- MONGO_URL=mongodb://mongo:27017/rocketchat
- MONGO_OPLOG_URL=mongodb://mongo:27017/local
#- MAIL_URL=smtp://smtp.email
#- HTTP_PROXY=http://proxy.domain.com
#- HTTPS_PROXY=http://proxy.domain.com
depends_on:
- mongo
ports:
- 3000:3000
labels:
- "traefik.backend=rocketchat"
- "traefik.frontend.rule=Host: your.domain.tld"

mongo:
image: mongo:4.0
restart: unless-stopped
volumes:
- ./data/db:/data/db
#- ./data/dump:/dump
command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1
labels:
- "traefik.enable=false"

#this container's job is just run the command to initialize the replica set.
#it will run the command and remove himself (it will not stay running)
mongo-init-replica:
image: mongo:4.0
command: >
bash -c
"for i in seq 1 30; do
mongo mongo/rocketchat --eval "
rs.initiate({
_id: 'rs0',
members: [ { _id: 0, host: 'localhost:27017' } ]})" &&
s=$$? && break || s=$$?;
echo "Tried $$i times. Waiting 5 secs...";
sleep 5;
done; (exit $$s)"
depends_on:
- mongo

#hubot, the popular chatbot (add the bot user first and change the password before starting this image)
hubot:
image: rocketchat/hubot-rocketchat:latest
restart: unless-stopped
environment:
- ROCKETCHAT_URL=rocketchat:3000
- ROCKETCHAT_ROOM=GENERAL
- ROCKETCHAT_USER=bot
- ROCKETCHAT_PASSWORD=botpassword
- BOT_NAME=bot
#you can add more scripts as you'd like here, they need to be installable by npm
- EXTERNAL_SCRIPTS=hubot-help,hubot-seen,hubot-links,hubot-diagnostics
depends_on:
- rocketchat
labels:
- "traefik.enable=false"
volumes:
- ./scripts:/home/hubot/scripts
#this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
ports:
- 3001:8080