Search guides

Fix a firewall that blocks SSH

We'll confirm the block with ssh -v, check ufw or iptables, add an allow rule for port 22, and reload—or tell you when to escalate.

Troubleshooting · Servers & Linux
10–20 min
What you'll need
  • Console or physical access to the server (SSH may be blocked)
  • sudo on the server
Step 1 of 7

Quick triage — pick your path

Quick triage — pick your path

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Steps

Goal: Confirm the block with ssh -v, identify the firewall, add an allow rule for port 22, and test.

  • Run ssh -v user@host to see the error. Connection timed out usually means the firewall blocks port 22.
  • Good: You see timeout or refused. Proceed to Check firewall.
  • Bad: Run ssh -vv for more detail.

Check ssh -v output

Goal: Identify the failure type.

  • Connection timed out: firewall or network blocks port 22.
  • Connection refused: sshd not running on the server.
  • Permission denied: keys or auth—see fix-ssh-will-not-connect.
  • Good: Error identified. Proceed to ufw path or iptables path.
  • Bad: Run nc -zv host 22 from the client to confirm port reachability.

Check firewall

Goal: Identify which firewall is active and add the rule.

  • On the server: sudo ufw status (Ubuntu/Debian), sudo firewall-cmd --state (RHEL/Fedora), or sudo iptables -L -n (raw iptables).
  • Good: You know which firewall runs. Proceed to the matching section.
  • Bad: Try each command; one will show rules.

ufw path

Goal: Add allow rule for port 22 with ufw.

  • Run sudo ufw allow 22/tcp (or sudo ufw allow ssh). Then sudo ufw reload.
  • Run sudo ufw status numbered to confirm the rule. From the client: nc -zv host 22 and ssh user@host.
  • Good: Port 22 is reachable and SSH connects.
  • Bad: Check that sshd is running with systemctl status sshd.

iptables path

Goal: Add INPUT rule for port 22 with iptables.

  • Run sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT. Save with your distro’s method (e.g. netfilter-persistent save or iptables-save > /etc/iptables/rules.v4).
  • From the client: nc -zv host 22 and ssh user@host.
  • Good: Port 22 is reachable and SSH connects.
  • Bad: Check that the rule was saved and survives reboot.

When to escalate

Escalate if:

  • The server is managed by config management.
  • You cannot run firewall commands (permission denied).
  • Security policy forbids opening port 22.

Provide ssh -v output and ufw status or iptables -L.

Verification

  • ssh user@host connects without timeout.
  • nc -zv host 22 from the client succeeds.
  • ufw status or iptables -L shows an allow rule for port 22.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. ssh -v Run ssh -v to confirm timeout or refused.
  2. Identify firewall Check ufw, firewalld, or iptables.
  3. Add allow rule ufw allow 22/tcp or iptables INPUT rule for port 22.
  4. Reload and test Reload firewall; test with nc -zv and ssh.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • ssh -v output
  • ufw status or iptables -L output
  • Steps already tried

What does ssh -v show?

Run ssh -v user@host. Note the error.

Run `ssh -v user@host`. Connection timed out: firewall or network blocks port 22—check ufw/iptables on server. Connection refused: sshd not running—check systemctl status sshd. Permission denied: keys or auth—different guide.

Yes Unclear

You can change your answer later.

Run ssh -vv

Run `ssh -vv user@host` for more detail. Check the last lines before failure. Confirm you should see connection refused, timeout, or permission denied.

Done

Connection timed out?

Timeout usually means firewall blocks port 22.

Timeout: On server check ufw status or iptables -L. Add ufw allow 22/tcp or iptables INPUT rule for port 22. Reload. Test with nc -zv host 22 from client. Refused: sshd not running—start with systemctl start sshd.

Timeout Refused

You can change your answer later.

Which firewall is active?

ufw, firewalld, or iptables.

Run `sudo ufw status` or `sudo iptables -L -n`. ufw: ufw allow 22/tcp; ufw reload. iptables: iptables -I INPUT -p tcp --dport 22 -j ACCEPT; save. Confirm you should see the rule added and port 22 reachable.

Yes Unclear

You can change your answer later.

Check firewall

Run ufw status, firewall-cmd --state, and iptables -L. One should show rules. Add the allow rule for port 22 with the active firewall. Reload. Test nc -zv host 22.

Done

Add allow rule

ufw: ufw allow 22/tcp; ufw reload. iptables: iptables -I INPUT -p tcp --dport 22 -j ACCEPT; save. firewalld: firewall-cmd --add-service=ssh --permanent; firewall-cmd --reload. Confirm you should see SSH connect.

Done

Start sshd

Connection refused means sshd is not listening. Run `sudo systemctl start sshd` (or ssh). Check systemctl status sshd. If still refused, see fix-ssh-will-not-connect.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Why would a firewall block SSH?
Default firewall rules often deny incoming connections. ufw, firewalld, or iptables may not have an allow rule for port 22. Add the rule and reload.
Can I fix firewall blocking SSH myself?
Yes. Add ufw allow 22/tcp (or firewall-cmd --add-service=ssh, or iptables rule), reload, and test with ssh or nc -zv.
When should I escalate firewall blocking SSH?
If the server is managed, you lack sudo for firewall commands, or security policy forbids opening port 22.

Rate this guide

Was this helpful?

Continue to