If a host-based firewall on your Droplet is misconfigured, it can prevent connections to or from your computer. Use this guide to debug your host-based firewall settings for errors. If your infrastructure also includes cloud firewalls, follow the cloud firewall connectivity troubleshooting guide as well to ensure that the two firewalls do not have conflicting rule sets.
In this step of the Connectivity Troubleshooting Guide, you will:
You can check to see if any firewall rules are active on your Droplet before troubleshooting them further using IPTables. IPTables is a utility program that manages firewalls and is native to all Linux operating systems.
To see if you have any firewall rules in place on your Droplet, run:
If the command returns the following output, the Droplet does not have any active filtering rules and you can skip to the next section.
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If the command returns longer output with policies set to
DROP, the Droplet’s firewall is active. In the sample output below, IPTables returned firewall policies that are set to only accept TCP traffic on port
2222 and were configured using UFW.
Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere ... Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:2222
If the Droplet has active firewall policies, you can begin reviewing your firewalls rules in the next section.
Use one of the following tools to review the firewall rules on the Droplet. We recommend using UFW to manage your firewall rules as it is the most user-friendly firewall interface.
UFW is an interface for managing netfilter firewall rules and all Ubuntu Droplets have UFW installed by default. You can view the current filtering rules by running:
sudo ufw status verbose
verbose argument returns a more detailed status of the firewall.
If you receive the message
Status: inactive, UFW is not currently configured to manage your firewall and you can try reviewing your Droplet’s firewall settings with
iptables. If UFW is currently active, it returns output similar to the following:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp (OpenSSH) ALLOW IN Anywhere 22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
The output displays a few things:
Status: Indicates that the firewall is actively enforcing traffic rules.
Default: Indicates the current incoming and outgoing traffic policies. The provided example shows that the incoming policy is to deny connections to the Droplet from outside sources, and the outgoing policy allows traffic from the Droplet to connect to the public internet.
If you have a DigitalOcean Cloud Firewall set up with conflicting rules, you can disable your UFW firewall by typing:
sudo ufw disable
If you want to keep your Droplet’s firewall in place to filter types of traffic not covered by DigitalOcean’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the UFW rules by following the UFW Essentials: Common Firewall Rules and Commands guide.
FirewallD is an interface for managing a netfilter firewall designed to be user friendly. It is available for most Linux operating systems. If your Droplet runs FirewallD, you can view the current traffic rules with a sequence of checks.
First, check whether FirewallD is active using the
sudo firewall-cmd --state
If you receive the message
running, check the active zones using the
sudo firewall-cmd --get-active-zones
The command returns any network interfaces FirewallD actively controlled by FirewallD rules.
public interfaces: eth0
If FirewallD has active zones, it means that it is evaluating traffic against a set of rules. In the example output, FirewallD is currently managing traffic for the Droplet’s
eth0 network interface.
You can display the ports and services associated with each of the active zones with the
sudo firewall-cmd --info-zone=public
public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
Check whether any ports are open by looking at:
targetvalue. If this is set to
%%REJECT%%, the Droplet denies all traffic regardless of the other settings.
portsvalue. This lists ports explicitly allowed through the firewall.
servicesvalue. This lists services that are allowed through the firewall. In the example output above, the
sshservices are allowed through the firewall.
You can also check the ports associated with these services by typing:
sudo firewall-cmd --permanent --get-ports --service=dhcpv6-client sudo firewall-cmd --permanent --get-ports --service=ssh
The example commands return the ports and network protocols associated with the services.
If you have a DigitalOcean Cloud Firewall set up with conflicting rules, you can disable your firewall via FirewallD by typing:
sudo systemctl stop firewalld sudo systemctl disable firewalld
If you want to keep your Droplet’s firewall in place to filter types of traffic not covered by DigitalOcean’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the FirewallD rules by following the How To Set Up a Firewall Using FirewallD on CentOS 7 guide.
IPTables is a utility program that manages firewalls on Linux systems. It’s native to all Linux operating systems. If you are using IPTables to manage the Droplet’s firewall, you can view the current IPv4 filtering rules by typing:
sudo iptables --line-numbers -vL
--line-numbers flag prepends a
num column to the output to make the returned chart more human-readable. The
-vl flag returns verbose output.
Chain INPUT (policy DROP 1 packets, 40 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 764 56512 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3 9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 374 packets, 97673 bytes) num pkts bytes target prot opt in out source destination
The output indicates:
policyfor incoming and outgoing traffic (
DROPfor incoming, and
iptables command only displays the rules for filtering IPv4 traffic. To show the IPv6 filtering rules, rerun the command using the
ip6tables command instead of
If your DigitalOcean Cloud Firewall has rules that conflict with your
iptables firewall, you can disable your
iptables firewall by running:
sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -F sudo ip6tables -P INPUT ACCEPT sudo ip6tables -P OUTPUT ACCEPT sudo ip6tables -P FORWARD ACCEPT sudo ip6tables -F
If you are using a service like
iptables-persistent or have a script loading
iptables rules at boot, you may have to disable them to disable the firewall.
If you want to keep your Droplet’s firewall in place to filter types of traffic not covered by DigitalOcean’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the
iptables rules by following the Iptables Essentials: Common Firewall Rules and Commands guide.
If you have determined that your Droplet’s firewall is not causing connectivity issues, proceed to check your Droplet’s networking configuration.