Vultr DocsLatest Content
Associated Doc

How Do I Debug a Firewall Causing Connection Problems With My Vultr Compute Instance?

Updated on 15 September, 2025

Troubleshooting guide for identifying and resolving firewall-related connectivity issues with Vultr Compute instances.

If you're experiencing connection issues with your Vultr Compute instance, the problem may be due to a misconfigured firewall. Misconfigured rules can prevent your server from accepting incoming or initiating outgoing traffic. On Vultr you can configure instance level firewall or a Firewall Group:

  • Instance-level firewalls such as iptables, ufw, or firewalld, configured directly on the OS.
  • Vultr Firewall Groups, configured through the Vultr Customer Portal.

Check both layers to diagnose and resolve connectivity issues.

Check Instance-Level Firewall Rules

IPTables

Vultr instances running Linux have iptables installed by default. To check if any firewall rules are active, run:

console 
$ sudo iptables -L

  • No Active Rules (Firewall Not Filtering Traffic)

    Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)

Chain OUTPUT (policy ACCEPT)

    If the output is like this, your instance is not blocking any connections at the OS level. In this case, check your Vultr Firewall Group settings.

  • Active Rules (Firewall Filtering Traffic)

    Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222

    If the policy is DROP or certain ports are explicitly allowed, then filtering is active. Proceed to inspect using UFW or FirewallD.

Disable IPTables Rules

If you're using conflicting firewall rules and need to reset:

console 
$ sudo iptables -P INPUT ACCEPT
$ sudo iptables -P OUTPUT ACCEPT
$ sudo iptables -P FORWARD ACCEPT
$ sudo iptables -F

And for IPv6:

console 
$ sudo ip6tables -P INPUT ACCEPT
$ sudo ip6tables -P OUTPUT ACCEPT
$ sudo ip6tables -P FORWARD ACCEPT
$ sudo ip6tables -F
Note
These commands fully disable filtering; use with caution.

UFW (Uncomplicated Firewall)

If your instance uses UFW (common on Ubuntu), run:

console 
$ sudo ufw status verbose

Sample Output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
3001                       ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere  
22/tcp (OpenSSH)           ALLOW IN    Anywhere

This means only the listed ports (e.g., 22, 80, 443, 3001) are allowed, and all other incoming connections are denied by default.

  • If you want to disable UFW temporarily:

    console 
    $ sudo ufw disable
    Note
    Only disable UFW if you have Console access to recover SSH.

  • You can modify UFW rules to match your application's needs using:

    console 
    $ sudo ufw allow <port>/<protocol>

Firewalld

Some Linux distributions (CentOS, Rocky, AlmaLinux) use firewalld.

  1. Check the firewalld status.

    console 
    $ sudo firewall-cmd --state

    If running, list active zones:

    console 
    $ sudo firewall-cmd --get-active-zones

  2. List rules in a zone:

    console 
    $ sudo firewall-cmd --info-zone=public

  3. Stop and disable firewalld if needed:

    console 
    $ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld

Check Vultr Firewall Groups

If your instance is attached to a Vultr Firewall Group:

  1. Navigate to the Firewall section in the Vultr Customer Portal.
  2. Select the Firewall Group linked to your instance.
  3. Review Inbound Rules and ensure necessary ports (e.g., 22/tcp for SSH) are open.
  4. Review Outbound Rules to ensure the instance can connect to external services.
Note
Vultr Firewall Groups use a default-deny policy. If a specific port or protocol is not explicitly allowed in the inbound rules, all traffic on that port will be blocked.