🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Debian 9

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Remote SSH sessions fail after firewall changes, risking admin lockout.

Environment & Reproduction

Typically occurs after policy default-deny rules are enabled.

sudo nft list ruleset
ss -lntp | grep :22
ssh -v localhost

Root Cause Analysis

Missing or misordered SSH allow rule blocks inbound management traffic.

Quick Triage

Inspect effective filter chains and policy defaults.

sudo nft list ruleset
sudo journalctl -k -n 80 --no-pager
ip -br a

Step-by-Step Diagnosis

Confirm sshd is listening and packets reach the host interface.

sudo systemctl status ssh
ss -lntp | grep :22
sudo tcpdump -ni any port 22 -c 20
Illustrative mockup for debian-9 β€” terminal_or_shell
Reviewing nftables active ruleset β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Insert explicit SSH allow rule before restrictive drops.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo nft add rule inet filter input tcp dport 22 ct state new,established accept
sudo nft list ruleset
sudo systemctl restart ssh
Illustrative mockup for debian-9 β€” log_or_config
Restoring safe SSH allow policy β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Limit SSH access to admin CIDR ranges for tighter control.

sudo nft add rule inet filter input ip saddr 203.0.113.0/24 tcp dport 22 accept
sudo nft list ruleset

Verification & Acceptance Criteria

SSH succeeds locally and from remote management network.

ssh -o ConnectTimeout=5 localhost true
ss -lntp | grep :22
sudo nft list ruleset

Rollback Plan

Flush temporary rules from console if lockout persists.

sudo nft flush ruleset
sudo systemctl restart ssh

Prevention & Hardening

Always stage SSH allow rules before enforcing deny defaults.

sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable --now nftables

Can overlap with cloud security-group or ACL misconfiguration.

Related tutorial: View the step-by-step tutorial for Debian 9.

View all Debian 9 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Debian nftables and OpenSSH hardening guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.