How to Open and Manage Ports in Linux
Open, close, and verify network ports on your GoZen VPS using UFW, firewalld, and iptables. Covers common hosting ports and troubleshooting connectivity.
Every service on your GoZen VPS listens on a port. Web traffic uses 80 and 443, SSH uses 22, databases use 3306. If a port isn’t open in your firewall, traffic can’t reach the service - even if the service is running perfectly.
This guide covers how to open, close, and verify ports on Ubuntu/Debian (UFW) and Rocky/AlmaLinux (firewalld), plus raw iptables for edge cases.
Common Hosting Ports
Before opening anything, know what you need:
| Port | Protocol | Service | Open to Public? |
|---|---|---|---|
| 22 | TCP | SSH | Yes (or restrict to your IP) |
| 80 | TCP | HTTP | Yes |
| 443 | TCP | HTTPS | Yes |
| 25 | TCP | SMTP (outgoing mail) | Outgoing only |
| 587 | TCP | SMTP Submission | Yes (if running mail) |
| 993 | TCP | IMAPS | Yes (if running mail) |
| 465 | TCP | SMTPS | Yes (if running mail) |
| 3306 | TCP | MySQL/MariaDB | No - restrict to localhost or specific IPs |
| 5432 | TCP | PostgreSQL | No - restrict to localhost or specific IPs |
| 6379 | TCP | Redis | No - restrict to localhost |
| 8080 | TCP | Alternative HTTP / Dev servers | Depends on use case |
| 8443 | TCP | Alternative HTTPS / Control panels | Depends on use case |
| 2083 | TCP | cPanel | Yes (if using cPanel) |
| 2087 | TCP | WHM | Yes (if using cPanel) |
Never open database ports (3306, 5432, 6379) to the public internet. If you need remote database access, restrict it to specific IPs or use an SSH tunnel.
Check What’s Currently Listening
Before opening a port, verify that a service is actually listening on it:
# Show all listening ports with process names
sudo ss -tlnp
# Check a specific port (e.g., port 3000)
sudo ss -tlnp | grep :3000
# Alternative: using lsof
sudo lsof -i :3000
If nothing is listening on the port, opening it in the firewall won’t help - you need to start the service first.
Check Current Firewall Rules
Open a Port
Close a Port
Verify a Port is Reachable
After opening a port, verify it’s actually reachable from outside your server.
From Inside the Server
# Confirm the service is listening
sudo ss -tlnp | grep :3000
# Confirm the firewall rule exists
sudo ufw status | grep 3000 # UFW
sudo firewall-cmd --list-ports # firewalld
From Outside the Server
# From your local machine or another server
nc -zv your-server-ip 3000
# Using telnet
telnet your-server-ip 3000
# Using nmap (scans the port)
nmap -p 3000 your-server-ip
# Using curl (for HTTP services)
curl -I http://your-server-ip:3000
If the port shows as filtered or connection times out, the firewall is blocking it.
Raw iptables (Advanced)
If you’re not using UFW or firewalld, or need to debug at a lower level:
# List all rules
sudo iptables -L -n -v
# Open a port
sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
# Open a port for a specific IP only
sudo iptables -A INPUT -p tcp -s 203.0.113.50 --dport 3306 -j ACCEPT
# Block a port
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
# Save rules (so they persist after reboot)
sudo apt install iptables-persistent -y # Ubuntu/Debian
sudo netfilter-persistent save
sudo dnf install iptables-services -y # Rocky/AlmaLinux
sudo service iptables save
Don’t mix raw iptables with UFW or firewalld. They both manage iptables under the hood. Mixing them causes conflicting rules and unpredictable behavior. Pick one approach and stick with it.
Common Scenarios
Open Ports for a Node.js / Next.js App
Your app runs on port 3000 but you want users to access it on port 80/443:
# Option 1: Open port 3000 directly (for testing)
sudo ufw allow 3000/tcp
# Option 2 (recommended): Use Nginx as a reverse proxy
# Keep port 3000 closed to the public
# Open only 80 and 443
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
See Nginx Reverse Proxy for the full setup.
Open Ports for a Game Server
Game servers often use UDP and non-standard ports:
# Example: Minecraft (TCP 25565)
sudo ufw allow 25565/tcp
# Example: Valheim (UDP 2456-2458)
sudo ufw allow 2456:2458/udp
See Hosting a Game Server for specific game configurations.
Temporarily Open a Port for Debugging
# Open now, but don't persist across reboots (firewalld)
sudo firewall-cmd --add-port=9090/tcp
# This will be gone after firewall-cmd --reload or reboot
# UFW doesn't have a "temporary" mode, so open and close manually:
sudo ufw allow 9090/tcp
# ... debug ...
sudo ufw delete allow 9090/tcp
Troubleshooting
| Problem | Fix |
|---|---|
Port shows as filtered from outside | The firewall is blocking it. Check your rules with ufw status or firewall-cmd --list-all. |
| Port is open in firewall but still not reachable | Is the service actually running? Check with sudo ss -tlnp | grep :PORT. |
Service is running but only on 127.0.0.1 | The service is bound to localhost only. Change its config to listen on 0.0.0.0 (all interfaces). |
| “Connection refused” instead of timeout | The port is reachable but nothing is listening. Start the service. |
| UFW is inactive | Enable it: sudo ufw enable. Make sure you allow SSH first! |
| Rules lost after reboot (firewalld) | You forgot --permanent. Re-add with --permanent and --reload. |
| Rules lost after reboot (iptables) | Install iptables-persistent (Debian/Ubuntu) or iptables-services (RHEL) and save. |
| Docker ignores UFW rules | Docker modifies iptables directly, bypassing UFW. See our Firewall Setup Guide for the Docker workaround. |
Related Articles
Last updated 21 Apr 2026, 08:08 +0300.