How to allow a port through the firewall in Linux

Opening a port in the Linux firewall allows external hosts to reach a listening service, such as a web server, database, or custom application, instead of having packets silently dropped at the edge of the system.

The firewall on most modern Linux distributions filters traffic using kernel packet filtering (iptables or nftables) and exposes friendlier tools, such as ufw on Ubuntu, for managing rules. Allowing a port adds an inbound rule so that new connections to a specific port and protocol are accepted rather than denied by the default policy.

Changing firewall rules requires administrative privileges and a clear understanding of which services should be reachable from the network, especially on remote servers where a mistake can cut off access. Instructions here target Ubuntu and other Debian-derived systems using ufw as a front-end to iptables and nftables, while other distributions commonly use firewalld or raw nftables rules.

Related: How to check firewall status in Linux
Related: How to list open ports on Linux

Steps to allow a port through the firewall in Linux:

  1. Open a terminal with sudo privileges. 
    $ whoami
root
  2. Check whether ufw is active. 
    $ sudo ufw status verbose
Status: inactive

    ufw reports Status: inactive when not yet enabled, which is common on fresh installations.

  3. Allow incoming SSH connections before enabling ufw on a remote server. 
    $ sudo ufw allow OpenSSH
Rules updated
Rules updated (v6)

    Enabling ufw without permitting SSH can block future remote logins and require console or out-of-band access to fix the configuration.

  4. Enable ufw if it is reported as inactive. 
    $ sudo ufw --force enable
Firewall is active and enabled on system startup

    Enabling ufw turns the configured defaults into live rules, typically denying incoming connections except for explicitly allowed ports.

  5. Allow an incoming TCP port for a service, replacing 8080 with the desired port number. 
    $ sudo ufw allow 8080/tcp
Rule added
Rule added (v6)

    Specifying /tcp constrains the rule to TCP traffic, which is typical for HTTP, HTTPS, and many custom application protocols.

  6. Allow an incoming UDP port when the application uses UDP instead of TCP, replacing 1194 with the required port number. 
    $ sudo ufw allow 1194/udp
Rule added
Rule added (v6)

    VPN protocols such as OpenVPN often listen on UDP ports, so matching the protocol type avoids confusing partial connectivity issues.

  7. List numbered rules to confirm that the new allow rule is present. 
    $ sudo ufw status numbered
Status: active
 
     To                         Action      From
     --                         ------      ----
[ 1] OpenSSH                    ALLOW IN    Anywhere                  
[ 2] 8080/tcp                   ALLOW IN    Anywhere                  
[ 3] 1194/udp                   ALLOW IN    Anywhere                  
[ 4] OpenSSH (v6)               ALLOW IN    Anywhere (v6)             
[ 5] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)             
[ 6] 1194/udp (v6)              ALLOW IN    Anywhere (v6)

    Numbered rules provide stable references for later changes, such as deleting a specific entry by its index.

  8. Test from another system that the port is reachable over the network. 
    $ nc -vz 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!

    If nc is unavailable, an equivalent tool such as telnet or a browser for HTTP ports can verify that the service responds through the firewall.

  9. Remove an allow rule when a port no longer needs to be reachable from the network. 
    $ sudo ufw delete allow 8080/tcp
Rule deleted
Rule deleted (v6)

    Closing unused ports reduces exposure to accidental misconfiguration and opportunistic scans that probe for open services.