Fix iptables that blocks traffic
We'll confirm the block, add an allow rule, save, and verify—or tell you when to escalate.
What you'll need
- SSH or console access with root or sudo
- The port and protocol (TCP or UDP)
Step-by-step diagnostic
Quick triage — pick your path
Quick triage — pick your path
Choose the option that matches what you see. You can jump straight to that section.
Show full guide
Steps
Goal: Confirm the block, add an allow rule, save, and verify.
- On the server:
ss -tlnpto confirm the service listens. From client:nc -zv <server-ip> <port>. - Good: Service listens but connection times out—iptables may block. Proceed to Check iptables rules.
- Bad: Service does not listen—start the service first.
Check iptables rules
Goal: See current rules and identify what blocks traffic.
- Run
sudo iptables -L -n -v. Check INPUT for incoming, OUTPUT for outbound. - Good: You see the chains and rules. Proceed to Add allow rule.
- Bad: Permission denied—see When to escalate.
Add allow rule
Goal: Add an ACCEPT rule before any DROP.
- Incoming:
sudo iptables -I INPUT -p tcp --dport <port> -j ACCEPT. - Outbound:
sudo iptables -I OUTPUT -p tcp --dport <port> -j ACCEPT. - Save:
sudo netfilter-persistent saveorsudo iptables-save | sudo tee /etc/iptables/rules.v4. - Good: Rule added and saved. Proceed to Test.
- Bad: Rule does not persist—check your distro’s save method.
Test
Goal: Verify the connection works.
- From another machine:
nc -zv <server-ip> <port>(incoming). Or run your outbound command. - Good: Connection succeeds.
- Bad: Check rule order—ACCEPT must come before DROP.
When to escalate
Escalate if:
- The system is managed by config management.
- You cannot run iptables (permission denied).
- Security policy forbids changing rules.
Provide iptables -L -n output and the port or traffic type.
Verification
sudo iptables -L -nshows an ACCEPT rule for the port.nc -zv <server-ip> <port>from another machine succeeds (incoming).- Outbound connections succeed if that was the issue.
- Rules persist after reboot.
Escalation ladder
Work from the device outward. Stop when the problem is fixed.
- Confirm block Verify the service listens but connections fail, or outbound fails.
- Check rules Run iptables -L -n -v.
- Add allow rule iptables -I INPUT or OUTPUT with ACCEPT.
- Save and test Save rules; test connection.
What to capture if you need help
Before calling support or posting for help, have these ready. It speeds everything up.
- iptables -L -n -v output
- Port and protocol
- Steps already tried
Is incoming or outbound traffic blocked?
Incoming: service listens but client cannot connect. Outbound: local command cannot reach remote.
You can change your answer later.
Check iptables rules
Run iptables -L -n -v.
Rules checked?
You can change your answer later.
Add allow rule and save
Check both INPUT and OUTPUT
Reviewed by Blackbox Atlas
Frequently asked questions
- Why would iptables block traffic?
- Default policy or explicit DROP/REJECT rules block traffic. Check iptables -L -n to see the rules. Order matters—first match wins.
- Can I fix iptables blocking traffic myself?
- Yes. Add an ACCEPT rule before the DROP rule, save with iptables-save or netfilter-persistent, and test.
- When should I escalate iptables blocking traffic?
- If the system is managed by config management, you lack root, or security policy forbids changing rules.
Rate this guide
Was this helpful?
Thanks for your feedback.