Why does iptables say 'connection refused' even though I added an ACCEPT rule?

iptables evaluates rules top-to-bottom and stops at the first match. If there is a DROP or REJECT rule above your ACCEPT rule for the same port or source, the DROP fires first and your ACCEPT rule is never reached. Run 'sudo iptables -L INPUT -n -v --line-numbers' and verify the ACCEPT rule appears at a lower line number than any DROP rule covering the same traffic. Use 'iptables -I INPUT ' to insert the ACCEPT at the correct position rather than appending with -A.

Why does iptables say 'Permission denied' even when I run it with sudo?

This almost always means you are inside a container (Docker, LXC, Kubernetes) that was launched without the NET_ADMIN capability. The sudo command escalates within the container's user namespace, but NET_ADMIN is a capability granted by the container runtime, not by sudo. Verify with 'capsh --print | grep net_admin'. Fix it by adding '--cap-add NET_ADMIN' to your Docker run command, or setting 'capabilities: add: [NET_ADMIN]' in the Kubernetes pod securityContext.

Why are my iptables rules not working after a reboot?

iptables rules are stored in kernel memory only and are flushed on every reboot unless you install a persistence mechanism. On Debian/Ubuntu, install 'iptables-persistent' and run 'netfilter-persistent save'. On RHEL/CentOS, run 'iptables-save > /etc/sysconfig/iptables' and enable the iptables service with 'systemctl enable iptables'. Always verify the saved file is valid with 'iptables-restore --test < /etc/iptables/rules.v4' before relying on it.

Why is iptables slow and causing connection timeouts under high traffic?

Two common causes: (1) The nf_conntrack table is full — check 'sysctl net.netfilter.nf_conntrack_count' vs 'net.netfilter.nf_conntrack_max'. If count is near max, increase the limit with 'sysctl -w net.netfilter.nf_conntrack_max=262144'. (2) Too many individual rules — iptables evaluates each rule linearly per packet. If you have hundreds of IP-based rules, replace them with ipset, which provides O(1) hash-based lookups. A single iptables rule matching an ipset of 100,000 IPs is dramatically faster than 100,000 individual rules.

Why does 'iptables -L' show no rules but connections are still being dropped?

On modern distributions, there may be a parallel nftables ruleset that iptables cannot see. Run 'sudo nft list ruleset' to check for active nftables rules. Additionally, check all tables — the default 'iptables -L' only shows the filter table. Run 'sudo iptables -t nat -L -n' and 'sudo iptables -t mangle -L -n' to inspect other tables. Also verify you are querying the correct backend: if the system is using iptables-nft but your rules were loaded with iptables-legacy (or vice versa), one set is invisible to the other. Check 'iptables --version' for the backend in use.

iptables Connection Refused: Fix Permission Denied, Failed Rules & Slow Firewall

Q: Why is iptables slow and causing connection timeouts under high traffic?

Two common causes: (1) The nf_conntrack table is full — check 'sysctl net.netfilter.nf_conntrack_count' vs 'net.netfilter.nf_conntrack_max'. If count is near max, increase the limit with 'sysctl -w net.netfilter.nf_conntrack_max=262144'. (2) Too many individual rules — iptables evaluates each rule linearly per packet. If you have hundreds of IP-based rules, replace them with ipset, which provides O(1) hash-based lookups. A single iptables rule matching an ipset of 100,000 IPs is dramatically faster than 100,000 individual rules.

Q: Why does 'iptables -L' show no rules but connections are still being dropped?

On modern distributions, there may be a parallel nftables ruleset that iptables cannot see. Run 'sudo nft list ruleset' to check for active nftables rules. Additionally, check all tables — the default 'iptables -L' only shows the filter table. Run 'sudo iptables -t nat -L -n' and 'sudo iptables -t mangle -L -n' to inspect other tables. Also verify you are querying the correct backend: if the system is using iptables-nft but your rules were loaded with iptables-legacy (or vice versa), one set is invisible to the other. Check 'iptables --version' for the backend in use.

Fix iptables connection refused, permission denied, and not working errors. Step-by-step commands to diagnose DROP rules, backend conflicts, and conntrack issue

Last updated: February 23, 2026

Last verified: February 23, 2026

2,362 words

Key Takeaways

Root cause 1: A DROP default policy or explicit DROP/REJECT rule on the INPUT chain is the most common cause of 'connection refused' — any port not explicitly ACCEPTed is silently blocked.
Root cause 2: Modern distros (Debian 10+, Ubuntu 20.04+, RHEL 8+) ship iptables pointing to an nftables backend; mixing legacy and nft rules causes silent failures and 'iptables not working' symptoms.
Root cause 3: Running iptables without root or without the NET_ADMIN capability produces 'iptables: Permission denied (you must be root).' — always use sudo or ensure the container has the capability.
Root cause 4: A full netfilter conntrack table (nf_conntrack: table full, dropping packet) causes new connections to be dropped and makes iptables appear slow or broken.
Quick fix: Run 'sudo iptables -L -n -v --line-numbers' to list all rules, identify the blocking rule by line number, then either delete it with 'iptables -D INPUT <line>' or insert an ACCEPT rule before it with 'iptables -I INPUT <line>'.

Fix Approaches Compared
Method	When to Use	Time	Risk
Insert ACCEPT rule before DROP	Specific port blocked by an explicit rule; default policy is ACCEPT	< 2 min	Low — surgical change, easily reversed with iptables -D
Change default INPUT policy to ACCEPT	Default policy is DROP and you need temporary broad access to diagnose	< 1 min	High — opens all ports; use only in isolated/dev environments
Switch iptables backend (legacy vs nft)	Rules silently ignored; iptables --version shows '(nf_tables)' but rules were written for legacy	5–10 min	Medium — requires flushing existing rules and reloading
Flush all rules and rebuild	Ruleset is corrupted, contradictory, or unknown origin; starting fresh is safer	10–20 min	Medium — all protection removed during rebuild; restore immediately
Increase nf_conntrack_max via sysctl	High-traffic host; 'nf_conntrack: table full' in dmesg; connections dropping under load	2–5 min	Low — persisted via sysctl.conf; no service restart needed
Replace large IP lists with ipset	Hundreds of ACCEPT/DROP rules causing slow packet processing and CPU spikes	15–30 min	Low — ipset is kernel-supported; seamless integration with iptables

Understanding iptables Errors: Connection Refused, Failed, Permission Denied, and Slow

iptables is the userspace interface to the Linux kernel's netfilter packet-filtering framework. When a connection is refused or rules silently fail, the underlying cause almost always falls into one of five categories: a DROP rule or policy blocking legitimate traffic, a privilege or capability gap, a backend mismatch between iptables-legacy and iptables-nft, a corrupted or missing kernel module, or conntrack table exhaustion under load.

Before touching any rules, understand the exact error text you are seeing:

iptables: Permission denied (you must be root).
iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument
iptables: No chain/target/match by that name.
iptables: Table does not exist (do you need to insmod?)
nf_conntrack: table full, dropping packet
iptables: No such file or directory

Each error points to a distinct root cause and a different fix path.

Step 1: Verify Privileges and Capabilities

Every iptables command requires root or the CAP_NET_ADMIN Linux capability. The symptom is immediate: you run the command and get iptables: Permission denied (you must be root).

Verify your effective user and re-run with sudo:

whoami
sudo iptables -L -n

If you are inside a Docker container or Kubernetes pod, the container runtime must grant NET_ADMIN. Check with:

capsh --print | grep net_admin
# Should output: cap_net_admin

For Docker, add the capability at run time:

docker run --cap-add NET_ADMIN ...

For Kubernetes, add the securityContext to the pod spec:

securityContext:
  capabilities:
    add: ["NET_ADMIN"]

Step 2: Identify the iptables Backend (Legacy vs nftables)

This is the most frequently overlooked cause of iptables not working on modern distributions. Debian 10 Buster, Ubuntu 20.04, and RHEL 8 all ship iptables as a shim pointing to either iptables-legacy (direct kernel netfilter) or iptables-nft (translates to nftables). Mixing rules written for one backend into the other causes them to be silently ignored or throws the error:

iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

Check which backend is active:

iptables --version
# iptables v1.8.7 (nf_tables)  <-- nftables backend
# iptables v1.8.7 (legacy)     <-- legacy backend

update-alternatives --list iptables

If your scripts or saved rules were written for the legacy backend but the system is running nft, switch back:

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Flush and reload your rules after switching:

sudo iptables -F
sudo iptables -X
sudo iptables-restore < /etc/iptables/rules.v4

Step 3: Audit Current Rules to Find the Blocking Entry

The iptables -L command is your primary diagnostic tool. Always include -n (skip reverse DNS lookups, which slow output), -v (show interface and packet counts), and --line-numbers (required for targeted deletion):

sudo iptables -L -n -v --line-numbers

Pay close attention to:

Default policy — shown as policy ACCEPT or policy DROP on the chain header line. A DROP default means every packet not matched by an explicit ACCEPT rule is silently discarded.
Explicit DROP or REJECT rules — scan for lines containing DROP or REJECT before any ACCEPT rule for the port in question. iptables evaluates rules top-to-bottom and stops at the first match.
Packet counts — a rule with a rapidly increasing packet count is actively matching traffic.

To add temporary logging to trace exactly which rule is dropping packets:

# Insert logging rule at the top of INPUT (position 1)
sudo iptables -I INPUT 1 -j LOG --log-prefix "IPT_DEBUG: " --log-level 4

# Tail the kernel log and attempt the failing connection from another terminal
sudo journalctl -kf | grep IPT_DEBUG
# Example output:
# IPT_DEBUG: IN=eth0 OUT= SRC=10.0.0.5 DST=10.0.0.1 LEN=60 PROTO=TCP DPT=8080 SYN

# Remove the debug rule when done
sudo iptables -D INPUT 1

Step 4: Fix the Blocking Rule

Once you identify the line number of the problematic rule, you have two clean options:

Option A — Delete the offending rule:

# Delete rule at line 5 of INPUT chain
sudo iptables -D INPUT 5

Option B — Insert an ACCEPT rule before the blocking rule:

# Insert ACCEPT for TCP port 8080 at line 3, pushing the DROP rule down
sudo iptables -I INPUT 3 -p tcp --dport 8080 -j ACCEPT

Critical rules that must exist for a stateful firewall to work correctly:

# Allow loopback (localhost) traffic — missing this breaks many local services
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established and related connections — missing this breaks replies to outbound connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow a specific service port
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Step 5: Diagnose and Fix nf_conntrack Table Full (iptables Slow)

Under high connection volume, the kernel's connection tracking table fills up. New connection attempts are dropped at the kernel level, producing nf_conntrack: table full, dropping packet in dmesg and making iptables appear slow or broken even though the rules are correct.

Check table utilization:

# Current entries vs. maximum
sysctl net.netfilter.nf_conntrack_count
sysctl net.netfilter.nf_conntrack_max

# View all tracked connections
sudo cat /proc/net/nf_conntrack | wc -l

# Check for the error in kernel logs
sudo dmesg | grep -i conntrack | tail -20

If count approaches max, increase the limit at runtime and persist it:

sudo sysctl -w net.netfilter.nf_conntrack_max=262144
echo 'net.netfilter.nf_conntrack_max=262144' | sudo tee -a /etc/sysctl.d/99-conntrack.conf

For hosts that do not need stateful tracking (pure packet filtering), disable conntrack entirely for specific traffic to reduce overhead:

sudo iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
sudo iptables -t raw -A OUTPUT -p tcp --sport 80 -j NOTRACK

Step 6: Replace Large Rule Sets with ipset for Performance

If you have hundreds of individual IP-based ACCEPT or DROP rules, iptables evaluates them linearly per packet, causing CPU spikes and slow throughput. Replace them with ipset, which uses kernel hash tables for O(1) lookups:

sudo apt-get install ipset   # Debian/Ubuntu
sudo yum install ipset       # RHEL/CentOS

# Create a set and populate it
sudo ipset create blocked_ips hash:ip maxelem 1000000
sudo ipset add blocked_ips 203.0.113.42
sudo ipset add blocked_ips 198.51.100.7

# Reference the set from iptables with a single rule
sudo iptables -I INPUT 1 -m set --match-set blocked_ips src -j DROP

# Persist the set across reboots
sudo ipset save > /etc/ipset.rules

Step 7: Persist Rules Across Reboots

iptables rules are in-memory only and are lost on reboot unless explicitly saved.

Debian/Ubuntu:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save
# Writes to /etc/iptables/rules.v4 and /etc/iptables/rules.v6

RHEL/CentOS/AlmaLinux:

sudo iptables-save | sudo tee /etc/sysconfig/iptables
sudo systemctl enable iptables

Verify saved rules are syntactically valid before the next reboot:

sudo iptables-restore --test < /etc/iptables/rules.v4
# No output = valid. Any error output = broken rules file.

Frequently Asked Questions

bash

#!/usr/bin/env bash
# iptables diagnostic script
# Run as root or with sudo
# Usage: sudo bash iptables-diag.sh [port]

PORT=${1:-""}

echo "=== iptables Backend ==="
iptables --version
update-alternatives --list iptables 2>/dev/null || echo "(update-alternatives not available)"

echo ""
echo "=== Current Privileges ==="
whoami
capsh --print 2>/dev/null | grep -E '(net_admin|Current)' || echo "capsh not installed"

echo ""
echo "=== filter table: INPUT chain (with packet counts) ==="
iptables -L INPUT -n -v --line-numbers

echo ""
echo "=== Default Policies ==="
iptables -L | grep -E '^Chain'

echo ""
echo "=== nf_conntrack Status ==="
if [ -f /proc/net/nf_conntrack ]; then
  CURRENT=$(wc -l < /proc/net/nf_conntrack)
  MAX=$(sysctl -n net.netfilter.nf_conntrack_max 2>/dev/null || echo "unknown")
  echo "Conntrack entries: $CURRENT / $MAX"
else
  echo "nf_conntrack not loaded"
fi

echo ""
echo "=== Recent conntrack drops in dmesg ==="
dmesg | grep -i conntrack | tail -5 || echo "(no conntrack messages)"

if [ -n "$PORT" ]; then
  echo ""
  echo "=== Rules matching port $PORT ==="
  iptables -L INPUT -n -v --line-numbers | grep -E "(dpt:$PORT|all)"

  echo ""
  echo "=== Checking if port $PORT is listening ==="
  ss -tlnp "sport = :$PORT" 2>/dev/null || netstat -tlnp 2>/dev/null | grep ":$PORT"
fi

echo ""
echo "=== nftables ruleset (if active) ==="
nft list ruleset 2>/dev/null || echo "(nft not installed or no rules)"

echo ""
echo "=== iptables-persistent / saved rules ==="
if [ -f /etc/iptables/rules.v4 ]; then
  echo "Found /etc/iptables/rules.v4 — validating..."
  iptables-restore --test < /etc/iptables/rules.v4 2>&1 && echo "OK" || echo "SYNTAX ERROR in saved rules"
elif [ -f /etc/sysconfig/iptables ]; then
  echo "Found /etc/sysconfig/iptables — validating..."
  iptables-restore --test < /etc/sysconfig/iptables 2>&1 && echo "OK" || echo "SYNTAX ERROR in saved rules"
else
  echo "No saved rules file found (rules will not survive reboot)"
fi

echo ""
echo "=== Quick Fixes ==="
echo "# Allow a port:          sudo iptables -I INPUT 1 -p tcp --dport <PORT> -j ACCEPT"
echo "# Allow ESTABLISHED:     sudo iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
echo "# Delete rule by line:   sudo iptables -D INPUT <LINE_NUMBER>"
echo "# Save rules (Debian):   sudo netfilter-persistent save"
echo "# Save rules (RHEL):     sudo iptables-save > /etc/sysconfig/iptables"
echo "# Increase conntrack:    sudo sysctl -w net.netfilter.nf_conntrack_max=262144"
echo "# Switch to legacy:      sudo update-alternatives --set iptables /usr/sbin/iptables-legacy"

Error Medic Editorial

The Error Medic Editorial team consists of senior Linux engineers and SREs with backgrounds at cloud providers and managed hosting companies. Our troubleshooting guides are tested against real production incidents on Debian, Ubuntu, RHEL, and Alpine Linux. We focus on actionable root-cause analysis over superficial quick fixes.

Sources

Diagnose and fix iptables connection refused, permission denied, and slow performance issues. Actionable steps to restore your Linux firewall network access.

Troubleshooting 'iptables connection refused': A Comprehensive Guide

Fix 'iptables connection refused' errors by diagnosing firewall rules, checking service listening states, and resolving permission denied issues.

Apache Crash & Not Working: Complete Troubleshooting Guide (Connection Refused, OOM, Core Dump)

Fix Apache crashes, connection refused errors, and OOM kills in minutes. Step-by-step diagnostic commands, MPM tuning, and core dump analysis included.

AWS Redis Connection Refused: Troubleshooting ECONNREFUSED and tcp 127.0.0.1:6379

Fix 'Redis connection refused' errors in AWS, Kubernetes, Laravel, and WSL. Learn how to diagnose binding issues, security groups, and network configurations.