Linux Iptables open Bittorrent tcp ports 6881 to 6889

I already wrote about Linux command line bittorrent client. However, I received few more queries regarding firewall issues. Basically you need to open ports using iptables.

Bittorrent client by default uses tcp 6881 to 6889 ports only. In order to work with Bittorrent client you need to open these ports on firewall. Remember, if you are behind a firewall (hardware or software) you need to enable port forwarding to internal systems.

Scenario # 1: Windows or Linux desktop behind router firewall

Internet ->     Hardware Router    -> Your Linux Desktop
          with port forwarding          Client

You have router (ADSL/DSL/Cable modem+router) and you have already enabled port forwarding on router (open web browser > Open router web admin interface > Find port forwarding > Enable port forwarding for bittorent protocol). You also need to open port using following iptables rules on Linux desktop (open TCP port 6881 to 6999):

iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT

Here is a complete sample firewall script:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow bittorent incomming client request
iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT

#Uncomment below to allow sshd incoming client request
#iptables -A INPUT -p tcp -dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Scenario # 2

Internet -> Linux computer Router  ->  Your Linux Desktop
         with port forwarding      OR Windows XP client
         enabled using IPTABLES       IP:

Here you are using a Linux as software firewall and iptables as your NAT (firewall) for internal network ( You need to enable port forwarding to a internal Linux desktop (may be Windows XP desktop) for BitTorrent client system. Add following two line of code to your existing NAT firewall script.

iptables -t nat -A PREROUTING -p tcp --dport 6881:6889
-j DNAT --to-destination

iptables -A FORWARD -s -p tcp --dport 6881:6889

Related: Linux Command line BitTorrent client

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 31 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
31 comments… add one
  • Bruno Dec 11, 2005 @ 4:20

    Excellent information solved all my problems related to bittorent and your script is gr8 help thx 😀

  • Unknown Dec 13, 2005 @ 0:33

    Very nice your firewall rulez are very simple and easy to follow, this page is bookmarked.
    Keep it up good work

  • bliko Jan 24, 2006 @ 16:46

    all this is good but what happens when
    I have a linux box in a windows network and I have no control over the firewall set up by an administrator?

    I can ssh from my linux box to outside as well as surf the net.

  • 🐧 nixcraft Jan 25, 2006 @ 20:57


    Then login to your linux box over ssh and use the bittorrent-curses as follows:

    python2.4 /usr/bin/bittorrent-curses ‘/path/to/file.torrent’

    See our article Linux: Command line BitTorrent client

    Have a fun 😀

  • Anonymous Jan 25, 2006 @ 20:59

    This is a nice work. Keep up the good work.

  • Anonymous Feb 25, 2006 @ 6:57

    what if there are multiple desktop machines behind the linux firewall? can only one use bittorrent, or is there some other way to do it?

  • 🐧 nixcraft Feb 25, 2006 @ 10:36

    You can use for loop as follows (assuming that you have three desktop systems with IP

    for i in $CLIENT
    iptables -t nat -A PREROUTING -p tcp –dport 6881:6889
    -j DNAT –to-destination $i

    iptables -A FORWARD -s $i -p tcp –dport 6881:6889
    -j ACCEPT

    Other option is to grant permission to range of IP addres. For example, grant permission to to

    iptables -t nat -A PREROUTING -p tcp –dport 6881:6889
    -j DNAT –to-destination

    iptables -A FORWARD -s -p tcp –dport 6881:6889
    -j ACCEPT

  • Brian Mar 7, 2006 @ 2:56

    im getting..

    [root@localhost brian]# iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    bash: iptables: command not found

    what do i do?

  • 🐧 nixcraft Mar 7, 2006 @ 9:55


    a) If you are using su command to become root, use su –

    b) Use full path to iptables i.e. /sbin/iptables

    c) You do not have iptables installed. Install it.

  • Anonymous Apr 4, 2006 @ 0:33

    [root@server html]# iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    iptables v1.3.0: can’t initialize iptables table `filter’: iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    [root@server html]# iptables -A OUTPUT -p tcp –source-ports 6881:6999 -j ACCEPT
    iptables v1.3.0: Unknown arg `–source-ports’
    Try `iptables -h’ or ‘iptables –help’ for more information.

    How to fix that?

  • 🐧 nixcraft Apr 4, 2006 @ 0:52

    To fix first error run command:
    modprobe ip_tables iptable_filter ipt_state ip_conntrack ipt_LOG iptable_mangle

    Then verify module loaded with following command:
    lsmod | grep ip

    If above two command fails with an error then you need to upgrade your kernel. Btw specify your Linux disto…

    To fix second error, type rule as follows (it is –source-port not –source-ports ):
    iptables -A OUTPUT -p tcp –source-port 6881:6999 -j ACCEPT

  • Anonymous Jun 27, 2006 @ 9:10

    is the default port range 6881:6889 or 6881:6999 – the article mentions both, seems a confict there.

  • 🐧 nixcraft Jul 3, 2006 @ 2:48

    6881:6889 ==> More than sufficient for Bittorent client.

    If you are going to distribute torrents then use 6881:6999

  • Anonymous Sep 22, 2006 @ 23:37

    oh yeah! Now I don’t get that yellow ball when using BitTornado.

    Thanks a lot!!! 🙂

  • joe Mar 17, 2007 @ 17:04

    i tried running the sample code:

    iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT

    but the shell spit up “bad argument ‘-destination-port'”

    i looked in the help file for my version of iptables and could not find this parameter. i tried the other parameters that seemed similar, -d & –destination. The latter worked, while the former did not. In the help file the -d option appears with a ‘[!]’ next to it – what does this indicate?

    despite my success with ‘–destination’ a new error popped up. ‘-p’ was considered a bad argument. i tried ‘–proto,’ the alternative according to the help file, but to no avail.

    what do you suggest?

    thanks for your time,


  • Darkly May 31, 2007 @ 20:52

    replace -destination-port with –destination port and you will be fine.

  • figure May 31, 2007 @ 23:18


    Here is the command you need (a little late).

    /sbin/iptables -A INPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    /sbin/iptables -A OUTPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    To get rid of these rules after you are done,

    /sbin/iptables -D INPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    /sbin/iptables -D OUTPUT -p tcp -v –match multiport –dports 6881:6999 -j ACCEPT

    The key change is the –match option as it loads a module that allows the –dports (or –destination-ports) to be used. It can load many other modules besides the multiport module, but this is the one we need here.

  • Avesh Sep 19, 2007 @ 8:39

    Hi, my iptables is not working in redhat linux.
    It gives me the error as iptables-restore not matched. whereas this file is /sbin.
    whether i need to run the command of service iptables-save. also when i put -p in my iptables command it gives me the error. so what shud I do?

  • Albert Dec 6, 2007 @ 15:49

    I’m getting:

    iptables -t nat -A PREROUTING -p tcp –d 6881:6889
    -j DNAT –to-destination

    — Bad argument ‘’

    I looked in the help but no -to-destination argument found…

    What can I do? thanks in advance.

  • 🐧 nixCraft Dec 6, 2007 @ 16:37

    It should be as follows, (note double dash –)

    iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -j DNAT --to-destination
  • rich Jan 8, 2008 @ 16:42

    It took me a while to find this info… I had port forwarded 6881-6889 and didnt gain anything so I was glad to see that there’s one more step to getting it working correctly. I’ll try it out tonight:

    iptables -A INPUT -p tcp –destination-port 6881:6999 -j ACCEPT
    iptables -A OUTPUT -p tcp –source-port 6881:6999 -j ACCEPT

  • Sneezy Melon Mar 15, 2008 @ 16:58

    nice post! Thanks for sharing!

  • Gini Jul 2, 2008 @ 17:01

    Is there a way that we can force a particular application to use a particular interface say wlan0 or eth0 ?

  • Hellimod Sep 6, 2008 @ 12:47

    Everything said in this article is true except for the port assignment. ports 6881 to 6889 are blacklisted by both ISP’s and trackers now adays. Advising people use these ports is completely incorrect. Better to just say to people to pick any ports in the 50000+ range. Not only are those ports blacklisted. Using them will get you banned from many trackets. Yep complete and utter outright ban on those ports they are not to be used EVER.

  • chandan kumar Feb 24, 2009 @ 14:50

    i know about protocol-ports.

  • voxeljorz Apr 15, 2009 @ 5:42

    i use free ports for torrent, by the way using windows OS with Kerio Firewall

  • stewa Sep 3, 2009 @ 16:52

    Thank you! Now Torrent works great!

  • i3keba May 6, 2010 @ 8:24

    Question: how will behave iptables if I will forward one port range to different port range?
    iptables -t nat -A PREROUTING -p tcp –dport 6001:6999 -j DNAT –to-destination
    As I know 2.4 kernel was mapping port to port but 2.6.11 and up seems always mapping 6001:6999 to first port (7001) of 7001-7999 range.

    Any ideas

  • SIFE Jun 10, 2010 @ 18:03

    hi, this info very good and give me some idea to apply in other services in future .
    what if i want to block seeding only or leeching only ,i am using OpenBSD PF .

  • Ahmad Fikrizaman Sep 20, 2012 @ 20:58

    Hello cyberciti, is there any way to block torrent in OpenVZ container? layer7, rope or any like that not working because iptables for OpenVZ is not complete..

  • دانلود سریال Nov 27, 2014 @ 22:24

    very nice

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum