On This Page
If you find yourself unable to reach your VPS but able to reach other parts of our network, you may have locked yourself out with iptables firewall rules.
Common Symptom
SSH connections timeout or are refused, but you can ping other RamNode servers. This usually means iptables is blocking access.
Quick Fix: Clear All Rules
Access your VPS via VNC console and run these commands:
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPTWhat These Commands Do
iptables -F- Flush (delete) all rules in all chainsiptables -X- Delete all user-defined chainsiptables -P INPUT ACCEPT- Set default policy to accept incomingiptables -P OUTPUT ACCEPT- Set default policy to accept outgoingiptables -P FORWARD ACCEPT- Set default policy to accept forwarded
After running these commands, you should be able to connect via SSH again.
Common iptables Mistakes
Blocking Your Own IP
Setting rules without allowing your own IP address first is a common mistake. Always add your IP to the whitelist before applying restrictive rules.
Wrong Default Policy
Setting default policy to DROP without explicit ACCEPT rules for SSH locks you out immediately.
Missing Established Connections Rule
Forgetting to allow established and related connections breaks existing SSH sessions.
"Operation Not Permitted" Error
If you see "Operation not permitted" when trying to ping outbound from your VPS, iptables rules are likely blocking ICMP. Use the commands above to clear the rules.
Prevention is Better Than Cure
Always test firewall rules carefully. Consider using a firewall management tool like UFW or firewalld which have built-in safeguards against lockout.
Safe iptables Configuration
When configuring iptables, follow this safe order:
1Allow Established Connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT2Allow Loopback
iptables -A INPUT -i lo -j ACCEPT3Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT4Allow Your Services
# Web server
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Mail server (if needed)
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT5Set Default Policy (Last!)
# Only do this AFTER adding all your rules!
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPTUsing Firewall Management Tools
UFW (Uncomplicated Firewall)
UFW provides a simpler interface to iptables:
# Install UFW
apt-get install ufw
# Allow SSH first!
ufw allow 22/tcp
# Allow web traffic
ufw allow 80/tcp
ufw allow 443/tcp
# Enable firewall
ufw enablefirewalld (CentOS/RHEL)
# Install and start firewalld
yum install firewalld
systemctl start firewalld
# Allow services
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
# Reload
firewall-cmd --reloadSaving iptables Rules
iptables rules are not persistent by default. To save them:
Debian/Ubuntu
# Install iptables-persistent
apt-get install iptables-persistent
# Save current rules
netfilter-persistent save
# Or manually
iptables-save > /etc/iptables/rules.v4CentOS/RHEL
service iptables saveTest Before Saving
Always test your firewall rules thoroughly before making them persistent. If you lock yourself out before saving, a reboot will clear the rules.
Still Locked Out?
If clearing iptables rules doesn't restore access:
- Check if fail2ban or similar tools are blocking you
- Verify SSH service is running:
systemctl status sshd - Check SSH configuration in /etc/ssh/sshd_config
- Review system logs:
journalctl -xe - Contact support if issues persist
If you need assistance with firewall configuration or are locked out and can't access VNC, contact our support team. We can help you regain access and configure your firewall correctly.