🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Debian 11

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Inbound access fails because nftables or iptables policy drops valid traffic.

Environment & Reproduction

Often triggered by rule deployment changes or automation drift.

cat /etc/os-release
sudo nft list ruleset
ss -ltnp

Root Cause Analysis

Rule order or default policy denies required ports before allow rules.

Quick Triage

Identify active firewall backend and current input chain policy.

sudo nft list ruleset | sed -n '1,120p'
sudo iptables -S
systemctl status nftables --no-pager

Step-by-Step Diagnosis

Trace packet path and confirm whether counters increment on drop rules.

sudo nft monitor trace
sudo nft list chain inet filter input
sudo tcpdump -ni any tcp port 22 or tcp port 80
Illustrative mockup for debian-11 β€” terminal_or_shell
Diagnostic output for security/firewall-blocking β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Insert explicit allow rules for required ports before drop policy.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input iif lo accept
sudo nft add rule inet filter input tcp dport {22,80,443} accept
sudo nft add rule inet filter input counter drop
Illustrative mockup for debian-11 β€” log_or_config
Resolution output for security/firewall-blocking β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use a temporary maintenance rule with timeout while validating permanent rules.

sudo nft add rule inet filter input tcp dport 22 accept comment "temp-ssh"

Verification & Acceptance Criteria

Required services are reachable and firewall counters reflect expected flows.

nc -zv localhost 22
curl -I http://localhost
sudo nft list chain inet filter input

Rollback Plan

Load last known-good ruleset if new policy causes outages.

sudo nft -f /root/nftables.lastgood.conf

Prevention & Hardening

Apply staged firewall changes with automated health checks.

sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftables

Related symptoms include timeout on SSH and HTTP 522 from upstream checks.

Related tutorial: View the step-by-step tutorial for Debian 11.

View all Debian 11 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Debian nftables migration and firewall policy design documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.