Linux Iptables open Bittorrent tcp ports 6881 to 6889

I already wrote about Linux command line bittorrent client. However, I received few more queries regarding firewall issues. Basically you need to open ports using iptables.


Bittorrent client by default uses tcp 6881 to 6889 ports only. In order to work with Bittorrent client you need to open these ports on firewall. Remember, if you are behind a firewall (hardware or software) you need to enable port forwarding to internal systems.

Scenario # 1: Windows or Linux desktop behind router firewall

Internet ->     Hardware Router    -> Your Linux Desktop
          with port forwarding          Client

You have router (ADSL/DSL/Cable modem+router) and you have already enabled port forwarding on router (open web browser > Open router web admin interface > Find port forwarding > Enable port forwarding for bittorent protocol). You also need to open port using following iptables rules on Linux desktop (open TCP port 6881 to 6999):

iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT

Here is a complete sample firewall script:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow bittorent incomming client request
iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT

#Uncomment below to allow sshd incoming client request
#iptables -A INPUT -p tcp -dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Scenario # 2

Internet -> Linux computer Router  ->  Your Linux Desktop
         with port forwarding      OR Windows XP client
         enabled using IPTABLES       IP:

Here you are using a Linux as software firewall and iptables as your NAT (firewall) for internal network ( You need to enable port forwarding to a internal Linux desktop (may be Windows XP desktop) for BitTorrent client system. Add following two line of code to your existing NAT firewall script.

iptables -t nat -A PREROUTING -p tcp --dport 6881:6889
-j DNAT --to-destination

iptables -A FORWARD -s -p tcp --dport 6881:6889

Related: Linux Command line BitTorrent client

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

31 comments… add one
  • rich Jan 8, 2008 @ 16:42

    It took me a while to find this info… I had port forwarded 6881-6889 and didnt gain anything so I was glad to see that there’s one more step to getting it working correctly. I’ll try it out tonight:

    iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    iptables -A OUTPUT -p tcp –source-port 6881:6999 -j ACCEPT

  • Sneezy Melon Mar 15, 2008 @ 16:58

    nice post! Thanks for sharing!

  • Gini Jul 2, 2008 @ 17:01

    Is there a way that we can force a particular application to use a particular interface say wlan0 or eth0 ?

  • Hellimod Sep 6, 2008 @ 12:47

    Everything said in this article is true except for the port assignment. ports 6881 to 6889 are blacklisted by both ISP’s and trackers now adays. Advising people use these ports is completely incorrect. Better to just say to people to pick any ports in the 50000+ range. Not only are those ports blacklisted. Using them will get you banned from many trackets. Yep complete and utter outright ban on those ports they are not to be used EVER.

  • chandan kumar Feb 24, 2009 @ 14:50

    i know about protocol-ports.

  • voxeljorz Apr 15, 2009 @ 5:42

    i use free ports for torrent, by the way using windows OS with Kerio Firewall

  • stewa Sep 3, 2009 @ 16:52

    Thank you! Now Torrent works great!

  • i3keba May 6, 2010 @ 8:24

    Question: how will behave iptables if I will forward one port range to different port range?
    iptables -t nat -A PREROUTING -p tcp –dport 6001:6999 -j DNAT –to-destination
    As I know 2.4 kernel was mapping port to port but 2.6.11 and up seems always mapping 6001:6999 to first port (7001) of 7001-7999 range.

    Any ideas

  • SIFE Jun 10, 2010 @ 18:03

    hi, this info very good and give me some idea to apply in other services in future .
    what if i want to block seeding only or leeching only ,i am using OpenBSD PF .

  • Ahmad Fikrizaman Sep 20, 2012 @ 20:58

    Hello cyberciti, is there any way to block torrent in OpenVZ container? layer7, rope or any like that not working because iptables for OpenVZ is not complete..

  • دانلود سریال Nov 27, 2014 @ 22:24

    very nice

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.