Search guides

Fix a Linux firewall that blocks port

We'll confirm the port is blocked, identify ufw/firewalld/iptables, add an allow rule, and reload—or tell you when to contact admin.

Troubleshooting · Home maintenance
10–20 min
What you'll need
  • SSH or console access to the Linux server
  • sudo or root
  • The port number and protocol (TCP or UDP)
Step 1 of 7

Quick triage — pick your path

Quick triage — pick your path

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Steps

Goal: Confirm the port is blocked, identify the firewall (ufw, firewalld, or iptables), add an allow rule, and test.

  • On the server, run ss -tlnp or netstat -tlnp to confirm the service listens on the port.
  • From another machine, run nc -zv <server-ip> <port>. If the service listens but the connection times out, the firewall is likely blocking.
  • Good: Service listens, connection fails—proceed to Identify the firewall.
  • Bad: Service does not listen—start or fix the service first.

ufw path

Goal: Add an allow rule with ufw (Ubuntu, Debian).

  • Run sudo ufw status. If ufw is active, run sudo ufw allow <port>/tcp (or /udp for UDP). Example: sudo ufw allow 8080/tcp.
  • Run sudo ufw reload. Run sudo ufw status numbered to confirm the rule.
  • Test from another machine: nc -zv <server-ip> <port>.
  • Good: Connection succeeds. The port is open.
  • Bad: Permission denied—contact admin. See When to get help.

firewalld path

Goal: Add a port with firewalld (RHEL, Fedora, CentOS).

  • Run sudo firewall-cmd --add-port=<port>/tcp --permanent (use /udp for UDP). Example: sudo firewall-cmd --add-port=8080/tcp --permanent.
  • Run sudo firewall-cmd --reload. Run sudo firewall-cmd --list-ports to confirm.
  • Test from another machine.
  • Good: Connection succeeds. The port is open.
  • Bad: Permission denied—contact admin. See When to get help.

iptables path

Goal: Add an INPUT rule with iptables.

  • Run sudo iptables -I INPUT -p tcp --dport <port> -j ACCEPT (use -p udp for UDP). Example: sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT.
  • Save the rules. On Debian/Ubuntu: sudo netfilter-persistent save or sudo iptables-save > /etc/iptables/rules.v4. On RHEL: sudo service iptables save (if applicable).
  • Test from another machine.
  • Good: Connection succeeds. The port is open.
  • Bad: Permission denied—contact admin. See When to get help.

When to get help

  • You cannot run sudo ufw, sudo firewall-cmd, or sudo iptables (permission denied).
  • The rule is added but the connection still fails—check the service, network, or routing.
  • The system is managed by an admin—they must add the rule.

Verification

  • The firewall rule appears in ufw status, firewall-cmd --list-ports, or iptables -L -n.
  • From another machine, nc -zv <server-ip> <port> succeeds.
  • The service accepts connections and responds.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. Confirm port blocked Verify the service listens but connections from another machine fail.
  2. Identify firewall Check ufw, firewalld, or iptables.
  3. Add allow rule Add rule for the port with the correct tool.
  4. Reload and test Reload the firewall and test the connection.
  5. Contact admin On managed systems, admin must add the rule.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • Port number and protocol (TCP/UDP)
  • Which firewall is active (ufw, firewalld, iptables)
  • Output of firewall status command
  • Steps already tried

Does the service listen but connections from another machine fail?

Check with ss -tlnp on the server. Test with nc -zv from a client.

On the server: `ss -tlnp`. Confirm the service listens on the port. From another machine: `nc -zv <server-ip> <port>`. Good: service listens but connection times out—firewall likely blocking. Bad: service does not listen—fix the service first.

Yes No

You can change your answer later.

Do you use ufw (Ubuntu/Debian)?

Run sudo ufw status. If active, you use ufw.

Run `sudo ufw status`. Active: use ufw. Inactive: check firewalld or iptables.

Yes No

You can change your answer later.

ufw — Add rule and reload

sudo ufw allow <port>/tcp then ufw reload.

Run `sudo ufw allow <port>/tcp` (or /udp). Then `sudo ufw reload`. Test with nc -zv from another machine. Good: connection succeeds. Bad: permission denied—contact admin.

Yes No

You can change your answer later.

firewalld — Add port and reload

firewall-cmd --add-port --permanent then --reload.

Run `sudo firewall-cmd --add-port=<port>/tcp --permanent` then `sudo firewall-cmd --reload`. Test the connection. Good: connection succeeds. Bad: permission denied—contact admin.

Yes No

You can change your answer later.

iptables — Add INPUT rule

iptables -I INPUT -p tcp --dport <port> -j ACCEPT, then save.

Run `sudo iptables -I INPUT -p tcp --dport <port> -j ACCEPT`. Save with your distro's command (e.g. netfilter-persistent save). Test the connection. Good: connection succeeds. Bad: permission denied—contact admin.

Yes No

You can change your answer later.

Contact admin

On a managed server, the admin must add the firewall rule. Provide the port, protocol, and that you confirmed the service listens.

Done

Done

The port is open and connections succeed.

Done

Reviewed by Blackbox Atlas

Rate this guide

Was this helpful?

Continue to