diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go
index 15a33cd..7d01fb7 100644
--- a/v1/providers/nebius/instance.go
+++ b/v1/providers/nebius/instance.go
@@ -1744,14 +1744,19 @@ func generateCloudInitUserData(publicKey string, firewallRules v1.FirewallRules)
 `, publicKey)
 	}
 
+	var commands []string
 	// Generate UFW firewall commands (similar to Shadeform's approach)
 	// UFW (Uncomplicated Firewall) is available on Ubuntu/Debian instances
-	ufwCommands := generateUFWCommands(firewallRules)
+	commands = append(commands, generateUFWCommands(firewallRules)...)
 
-	if len(ufwCommands) > 0 {
+	// Generate IPTables firewall commands to ensure docker ports are not made immediately
+	// accessible from the internet by default.
+	commands = append(commands, generateIPTablesCommands()...)
+
+	if len(commands) > 0 {
 		// Use runcmd to execute firewall setup commands
 		script += "\nruncmd:\n"
-		for _, cmd := range ufwCommands {
+		for _, cmd := range commands {
 			script += fmt.Sprintf("  - %s\n", cmd)
 		}
 	}
@@ -1786,6 +1791,17 @@ func generateUFWCommands(firewallRules v1.FirewallRules) []string {
 	return commands
 }
 
+// generateIPTablesCommands generates IPTables firewall commands to ensure docker ports are not made immediately
+// accessible from the internet by default.
+func generateIPTablesCommands() []string {
+	commands := []string{
+		"iptables -I DOCKER-USER -i lo -j ACCEPT",
+		"iptables -I DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
+		"iptables -A DOCKER-USER -j DROP",
+	}
+	return commands
+}
+
 // convertIngressRuleToUFW converts an ingress firewall rule to UFW command(s)
 func convertIngressRuleToUFW(rule v1.FirewallRule) []string {
 	cmds := []string{}
diff --git a/v1/providers/shadeform/ufw.go b/v1/providers/shadeform/firewall.go
similarity index 99%
rename from v1/providers/shadeform/ufw.go
rename to v1/providers/shadeform/firewall.go
index 5590fa3..1b7044f 100644
--- a/v1/providers/shadeform/ufw.go
+++ b/v1/providers/shadeform/firewall.go
@@ -15,7 +15,6 @@ const (
 	ufwDefaultAllowPort2222 = "ufw allow 2222/tcp"
 	ufwForceEnable          = "ufw --force enable"
 
-	//
 	ipTablesAllowDockerUserInpboundLoopback = "iptables -I DOCKER-USER -i lo -j ACCEPT"
 	ipTablesAllowDockerUserOutbound         = "iptables -I DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
 	ipTablesDropDockerUserInbound           = "iptables -A DOCKER-USER -j DROP"