Commands to allow SSH access in common firewalls
What this is
You installed or reconfigured a firewall on your VPS and lost SSH access (immediately, or after a reboot). Log in through the Console in your client area, which works regardless of network rules, and run the commands for your firewall. Replace 22 with your port if you changed the SSH port.
First, understand the default input policy (the bit everyone misses)
Every firewall has a default policy for inbound packets that match no rule: accept them, or drop them. This single setting explains most lockouts:
- ufw, CSF, and firewalld default to deny inbound the moment they're enabled. That's why turning one on without an SSH allow rule already in place locks you out instantly, there's no rule blocking you, there's just no rule allowing you, and the default does the rest.
- With raw iptables/nft, flushing rules is not enough if the policy is DROP.
iptables -Fremoves the rules but keeps the policy, so you stay locked out. You must also reset the policy:iptables -P INPUT ACCEPT. - Check where you stand before assuming:
iptables -L INPUT -n | head -1prints(policy ACCEPT)or(policy DROP);ufw status verboseshowsDefault: deny (incoming); CSF and firewalld are deny-inbound by design.
Default-deny inbound is the right posture for a server (we recommend it), the discipline it demands is simply that the SSH allow rule exists before the policy takes effect.
Allow SSH
ufw
ufw allow 22/tcp
CSF
Edit /etc/csf/csf.conf, add 22 to the TCP_IN list (matching the existing comma-separated format), save, then apply:
csf -r
firewalld
firewall-cmd --permanent --add-port=22/tcp
firewall-cmd --reload
iptables
iptables -I INPUT -m tcp -p tcp --dport 22 -j ACCEPT
(Then save the ruleset the way your distro persists it, e.g. netfilter-persistent save, or the rule is gone on reboot.)
nft (replace inet filter with your table if it differs)
nft add rule inet filter input tcp dport 22 ct state new accept
Not sure which firewall you have? Stop them
Run these until access returns, then set up the one you actually use properly:
csf -x # CSF
systemctl stop ufw # ufw
systemctl stop firewalld # firewalld
iptables -F && iptables -P INPUT ACCEPT # raw iptables: flush + reset policy
(Note the iptables line does both: -F alone doesn't restore access when the default input policy is DROP, the -P INPUT ACCEPT is the half people forget.)
Stopping a firewall is a diagnosis step, not a fix, once you're back in, re-enable it with an SSH rule in place. And remember your VPS still sits behind our managed network firewall for the highest-risk app ports either way.
Avoid the next lockout
- Add the SSH rule before enabling a new firewall (before the default-deny policy takes effect), and keep your current session open while you test a fresh connection from a second terminal.
- ufw users:
ufw allow 22/tcpfirst,ufw enablesecond. In that order.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP,
- which firewall you run (ufw, CSF, firewalld, iptables, nft) and the command you tried,
- whether the Console still gets you in.
Related questions
- "How do I allow SSH in ufw / CSF / firewalld / iptables / nft?"
- "I enabled a firewall and locked myself out, what now?"
- "How do I stop a firewall I can't identify?"
- "How do I open my custom SSH port in the firewall?"
- "What is the default input policy, and why am I still locked out after flushing iptables?"