Linux Iptables open Bittorrent tcp ports 6881 to 6889

last updated in Categories CentOS, Debian Linux, Howto, Iptables, Linux, Linux desktop, Networking, RedHat/Fedora Linux, Security, Shell scripting, Suse Linux, Ubuntu Linux

I already wrote about Linux command line bittorrent client. However, I received few more queries regarding firewall issues. Basically you need to open ports using iptables.


Bittorrent client by default uses tcp 6881 to 6889 ports only. In order to work with Bittorrent client you need to open these ports on firewall. Remember, if you are behind a firewall (hardware or software) you need to enable port forwarding to internal systems.

Scenario # 1: Windows or Linux desktop behind router firewall

Internet ->     Hardware Router    -> Your Linux Desktop
          with port forwarding          Client

You have router (ADSL/DSL/Cable modem+router) and you have already enabled port forwarding on router (open web browser > Open router web admin interface > Find port forwarding > Enable port forwarding for bittorent protocol). You also need to open port using following iptables rules on Linux desktop (open TCP port 6881 to 6999):

iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT

Here is a complete sample firewall script:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow bittorent incomming client request
iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT

#Uncomment below to allow sshd incoming client request
#iptables -A INPUT -p tcp -dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Scenario # 2

Internet -> Linux computer Router  ->  Your Linux Desktop
         with port forwarding      OR Windows XP client
         enabled using IPTABLES       IP:

Here you are using a Linux as software firewall and iptables as your NAT (firewall) for internal network ( You need to enable port forwarding to a internal Linux desktop (may be Windows XP desktop) for BitTorrent client system. Add following two line of code to your existing NAT firewall script.

iptables -t nat -A PREROUTING -p tcp --dport 6881:6889
-j DNAT --to-destination

iptables -A FORWARD -s -p tcp --dport 6881:6889

Related: Linux Command line BitTorrent client


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

31 comment

  1. Very nice your firewall rulez are very simple and easy to follow, this page is bookmarked.
    Keep it up good work

  2. all this is good but what happens when
    I have a linux box in a windows network and I have no control over the firewall set up by an administrator?

    I can ssh from my linux box to outside as well as surf the net.

  3. bliko,

    Then login to your linux box over ssh and use the bittorrent-curses as follows:

    python2.4 /usr/bin/bittorrent-curses ‘/path/to/file.torrent’

    See our article Linux: Command line BitTorrent client

    Have a fun 😀

  4. what if there are multiple desktop machines behind the linux firewall? can only one use bittorrent, or is there some other way to do it?

  5. You can use for loop as follows (assuming that you have three desktop systems with IP

    for i in $CLIENT
    iptables -t nat -A PREROUTING -p tcp –dport 6881:6889
    -j DNAT –to-destination $i

    iptables -A FORWARD -s $i -p tcp –dport 6881:6889
    -j ACCEPT

    Other option is to grant permission to range of IP addres. For example, grant permission to to

    iptables -t nat -A PREROUTING -p tcp –dport 6881:6889
    -j DNAT –to-destination

    iptables -A FORWARD -s -p tcp –dport 6881:6889
    -j ACCEPT

  6. im getting..

    [root@localhost brian]# iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    bash: iptables: command not found

    what do i do?

  7. Brian,

    a) If you are using su command to become root, use su –

    b) Use full path to iptables i.e. /sbin/iptables

    c) You do not have iptables installed. Install it.

  8. [root@server html]# iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    iptables v1.3.0: can’t initialize iptables table `filter’: iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    [root@server html]# iptables -A OUTPUT -p tcp –source-ports 6881:6999 -j ACCEPT
    iptables v1.3.0: Unknown arg `–source-ports’
    Try `iptables -h’ or ‘iptables –help’ for more information.

    How to fix that?

  9. To fix first error run command:
    modprobe ip_tables iptable_filter ipt_state ip_conntrack ipt_LOG iptable_mangle

    Then verify module loaded with following command:
    lsmod | grep ip

    If above two command fails with an error then you need to upgrade your kernel. Btw specify your Linux disto…

    To fix second error, type rule as follows (it is –source-port not –source-ports ):
    iptables -A OUTPUT -p tcp –source-port 6881:6999 -j ACCEPT

  10. is the default port range 6881:6889 or 6881:6999 – the article mentions both, seems a confict there.

  11. 6881:6889 ==> More than sufficient for Bittorent client.

    If you are going to distribute torrents then use 6881:6999

  12. hi,
    i tried running the sample code:

    iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT

    but the shell spit up “bad argument ‘-destination-port'”

    i looked in the help file for my version of iptables and could not find this parameter. i tried the other parameters that seemed similar, -d & –destination. The latter worked, while the former did not. In the help file the -d option appears with a ‘[!]’ next to it – what does this indicate?

    despite my success with ‘–destination’ a new error popped up. ‘-p’ was considered a bad argument. i tried ‘–proto,’ the alternative according to the help file, but to no avail.

    what do you suggest?

    thanks for your time,


  13. joe,

    Here is the command you need (a little late).

    /sbin/iptables -A INPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    /sbin/iptables -A OUTPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    To get rid of these rules after you are done,

    /sbin/iptables -D INPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    /sbin/iptables -D OUTPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    The key change is the –match option as it loads a module that allows the –dports (or –destination-ports) to be used. It can load many other modules besides the multiport module, but this is the one we need here.

  14. Hi, my iptables is not working in redhat linux.
    It gives me the error as iptables-restore not matched. whereas this file is /sbin.
    whether i need to run the command of service iptables-save. also when i put -p in my iptables command it gives me the error. so what shud I do?

  15. I’m getting:

    iptables -t nat -A PREROUTING -p tcp –d 6881:6889
    -j DNAT –to-destination

    — Bad argument ‘’

    I looked in the help but no -to-destination argument found…

    What can I do? thanks in advance.

  16. It should be as follows, (note double dash –)

    iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -j DNAT --to-destination
  17. It took me a while to find this info… I had port forwarded 6881-6889 and didnt gain anything so I was glad to see that there’s one more step to getting it working correctly. I’ll try it out tonight:

    iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    iptables -A OUTPUT -p tcp –source-port 6881:6999 -j ACCEPT

  18. Hi
    Is there a way that we can force a particular application to use a particular interface say wlan0 or eth0 ?

  19. Everything said in this article is true except for the port assignment. ports 6881 to 6889 are blacklisted by both ISP’s and trackers now adays. Advising people use these ports is completely incorrect. Better to just say to people to pick any ports in the 50000+ range. Not only are those ports blacklisted. Using them will get you banned from many trackets. Yep complete and utter outright ban on those ports they are not to be used EVER.

  20. Question: how will behave iptables if I will forward one port range to different port range?
    iptables -t nat -A PREROUTING -p tcp –dport 6001:6999 -j DNAT –to-destination
    As I know 2.4 kernel was mapping port to port but 2.6.11 and up seems always mapping 6001:6999 to first port (7001) of 7001-7999 range.

    Any ideas

  21. hi, this info very good and give me some idea to apply in other services in future .
    what if i want to block seeding only or leeching only ,i am using OpenBSD PF .

  22. Hello cyberciti, is there any way to block torrent in OpenVZ container? layer7, rope or any like that not working because iptables for OpenVZ is not complete..

    Have a question? Post it on our forum!