diff --git a/cmd/main.go b/cmd/main.go
index 2540c796..ce37e7b0 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -136,6 +136,8 @@ func main() {
 	if allSettings.TinyProxy.Enabled {
 		err = tinyProxyConf.MakeConf(allSettings.TinyProxy.LogLevel, allSettings.TinyProxy.Port, allSettings.TinyProxy.User, allSettings.TinyProxy.Password, uid, gid)
 		e.FatalOnError(err)
+		err = firewallConf.AllowAnyIncomingOnPort(allSettings.TinyProxy.Port)
+		e.FatalOnError(err)
 		stream, waitFn, err := tinyProxyConf.Start()
 		e.FatalOnError(err)
 		go func() {
@@ -149,6 +151,8 @@ func main() {
 	if allSettings.ShadowSocks.Enabled {
 		err = shadowsocksConf.MakeConf(allSettings.ShadowSocks.Port, allSettings.ShadowSocks.Password, uid, gid)
 		e.FatalOnError(err)
+		err = firewallConf.AllowAnyIncomingOnPort(allSettings.ShadowSocks.Port)
+		e.FatalOnError(err)
 		stream, waitFn, err := shadowsocksConf.Start("0.0.0.0", allSettings.ShadowSocks.Port, allSettings.ShadowSocks.Password, allSettings.ShadowSocks.Log)
 		e.FatalOnError(err)
 		go func() {
diff --git a/internal/firewall/firewall.go b/internal/firewall/firewall.go
index 2c191036..fb442e55 100644
--- a/internal/firewall/firewall.go
+++ b/internal/firewall/firewall.go
@@ -24,6 +24,7 @@ type Configurator interface {
 	AddRoutesVia(subnets []net.IPNet, defaultGateway net.IP, defaultInterface string) error
 	GetDefaultRoute() (defaultInterface string, defaultGateway net.IP, defaultSubnet net.IPNet, err error)
 	AllowInputTrafficOnPort(device models.VPNDevice, port uint16) error
+	AllowAnyIncomingOnPort(port uint16) error
 }
 
 type configurator struct {
diff --git a/internal/firewall/iptables.go b/internal/firewall/iptables.go
index 7aa4d32a..da5278ec 100644
--- a/internal/firewall/iptables.go
+++ b/internal/firewall/iptables.go
@@ -128,3 +128,11 @@ func (c *configurator) AllowInputTrafficOnPort(device models.VPNDevice, port uin
 		fmt.Sprintf("-A INPUT -i %s -p udp --dport %d -j ACCEPT", device, port),
 	})
 }
+
+func (c *configurator) AllowAnyIncomingOnPort(port uint16) error {
+	c.logger.Info("%s: accepting any input traffic on port %d", logPrefix, port)
+	return c.runIptablesInstructions([]string{
+		fmt.Sprintf("-A INPUT -p tcp --dport %d -j ACCEPT", port),
+		fmt.Sprintf("-A INPUT -p udp --dport %d -j ACCEPT", port),
+	})
+}