How to allow a port safely

Topic: Networking basics

Allow inbound traffic to a specific port (e.g. 80, 443) without locking yourself out: allow your admin port (SSH) first, then allow the new port, and verify from a second session or after a short test. Use UFW, nftables, or iptables; document the rule so it can be audited. Use this when opening a service to the network.

Intent: How-to

Quick answer

  • Allow SSH (or your admin port) before any default-deny or before enabling the firewall; then allow the new port (e.g. ufw allow 80/tcp, or nft add rule for tcp dport 80 accept).
  • Specify protocol (TCP or UDP) and port; for a range use 8000:8010 or the tool's syntax; allow from a specific source IP or subnet if you want to restrict (e.g. ufw allow from 10.0.0.0/8 to any port 22).
  • Reload or enable after adding the rule; test connectivity from a client (nc -zv SERVER PORT); keep console access in case the rule or policy blocks you.

Prerequisites

Steps

  1. Ensure admin access is allowed first

    If the firewall is not yet enabled, add allow 22/tcp (or your SSH port) before enabling. If the firewall is already on, add the new allow rule; do not remove or reorder rules that allow SSH.

  2. Add the allow rule

    UFW: ufw allow 80/tcp; ufw allow 443/tcp. nftables: nft add rule inet filter input tcp dport 80 accept (and 443). iptables: iptables -A INPUT -p tcp --dport 80 -j ACCEPT. Use the appropriate tool for your system.

  3. Restrict by source if needed

    To allow only from a subnet: ufw allow from 10.0.0.0/8 to any port 80; or in nft/iptables match on source IP. This reduces exposure to the internet.

  4. Apply and verify

    ufw reload or nft/iptables reload; from a client run nc -zv SERVER 80 (or curl); confirm the service is listening (ss -tlnp) and that the firewall rule is present (ufw status or nft list ruleset).

Summary

Allow a port safely by ensuring admin (SSH) access is allowed first, then adding an allow rule for the new port (TCP or UDP), optionally restricted by source. Apply the change and verify connectivity. Use this whenever you open a service port on a host firewall.

Prerequisites

Steps

Step 1: Ensure admin access is allowed first

Before enabling the firewall or adding a default deny, add an allow rule for SSH (or your admin port). Do not remove or reorder that rule when adding the new port.

Step 2: Add the allow rule

  • UFW: sudo ufw allow 80/tcp (and 443 if needed).
  • nftables: sudo nft add rule inet filter input tcp dport 80 accept.
  • iptables: sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT.

Use the tool that is already managing the firewall on the host.

Step 3: Restrict by source if needed

To allow only from a subnet: ufw allow from 10.0.0.0/8 to any port 80. In nftables/iptables, add a source match. This limits who can reach the port.

Step 4: Apply and verify

Reload the firewall (e.g. ufw reload). From a client: nc -zv SERVER 80 or curl http://SERVER. Confirm the service is listening (ss -tlnp) and the rule is present (ufw status or nft list ruleset).

Verification

  • The new port is allowed; the client can connect; SSH (admin) remains allowed; the rule is visible in the firewall config.

Troubleshooting

Port still not reachable — Service may not be listening on 0.0.0.0; or another firewall (network, cloud security group) is blocking; check listening address and path.

Locked out — Use console; add allow for SSH and reload; or disable the firewall temporarily and fix rules.

Next steps

Continue to