Most people use a VPC network when creating a Kubernetes cluster and places a Load Balancer in front of it and then using an Ingress controller in the cluster to send traffic to the cluster. This Ingress controller usually is opening one (or more) NodePorts on the cluster nodes in the 30000-32767 port range. This is where the load balancer is sending the incoming traffic to.
The problem is that DigitalOcean does AUTOMATICALLY creates a firewall for the Kubernetes cluster nodes where the 30000-32767 port range is open to the public internet. While you can manually modify this firewall (so those ports are only open to the VPC and NOT to the public internet), your change will get overwritten the next time when there is a change to the cluster and that firewall gets reconciled.
You can also create another (supplementary) firewall, but as the firewall rules combine their permissive rules, you cannot close those ports to the public internet by another firewall, only open up new ones.
In summary: ALL Kubernetes clusters on DigitalOcean has all their NodePorts open to the public internet and there is no way to permanently close them!!!!
- allow firewall rules to close ports (eg REJECT)
- only open the NodePorts to the VPC on that auto-created firewall if the Kubernetes cluster was created in a VPC and not to the public internet
See others complaining about the same in Macil's comment at https://www.digitalocean.com/community/questions/how-to-customize-firewall-rules-for-managed-kubernetes-service