Every port you need to open for every game we cover, with ready-to-paste ufw, iptables, and Windows Firewall commands. Bookmark this page — you'll come back to it.
Rust uses a single UDP port for gameplay and an optional RCON port. The query port for the server browser is gameport + 1 unless overridden.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 28015 | UDP | Game traffic | Default; change via +server.port |
| 28016 | UDP | Server query (A2S_INFO) | Auto-opened by server; Steam master list uses this |
| 28017 | TCP | RCON + WebSocket | Optional; set via +rcon.port. Use only over VPN or bind to localhost. |
| 28082 | TCP | App server (Rust+ companion) | Only if using Rust+ mobile app integration |
Java Edition defaults to TCP 25565. Bedrock uses UDP 19132. Query and RCON are optional but common.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 25565 | TCP | Minecraft Java Edition | Default; set via server-port in server.properties |
| 25575 | TCP | RCON (Java) | Enable via enable-rcon=true; password required |
| 25565 | UDP | Query protocol (Java) | Enable via enable-query=true; used by server listings |
| 19132 | UDP | Minecraft Bedrock (IPv4) | Default; set via server-port in Bedrock config |
| 19133 | UDP | Minecraft Bedrock (IPv6) | Default; set via server-portv6 |
ARK requires three UDP ports per instance: game, Steam query, and RCON (TCP). Clusters need all three per map.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | UDP | Game traffic | Default; set via ?Port= launch arg |
| 7778 | UDP | Raw UDP socket | Always gameport + 1; must be open even if unused |
| 27015 | UDP | Steam query | Set via ?QueryPort=; required for server browser |
| 32330 | TCP | RCON | Set via ?RCONPort=; enable ?RCONEnabled=True |
CS2 uses a single UDP port for gameplay and SourceTV. TCP RCON is optional. Multiple instances increment the base port.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 27015 | UDP | Game traffic | Default; set via -port launch arg |
| 27015 | TCP | RCON | Set rcon_password in server.cfg; only expose over VPN |
| 27020 | UDP | SourceTV / HLTV | Set via +tv_port; only if broadcasting |
| 27005 | UDP | Client-side outbound | Not server-side; listed for completeness |
Identical port layout to CS2 — both are Source engine. TF2 also needs HTTP for FastDL if self-hosting assets.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 27015 | UDP | Game traffic | Default; set via -port |
| 27015 | TCP | RCON | Requires rcon_password in server.cfg |
| 27020 | UDP | SourceTV | Optional; set via +tv_port |
| 80 / 443 | TCP | FastDL (HTTP / HTTPS) | Only if self-hosting maps/sounds via nginx. See our FastDL guide. |
FiveM and RedM (Cfx.re) use a single TCP/UDP pair. TCP handles HTTP endpoints; UDP handles game traffic. txAdmin runs on its own TCP port.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 30120 | TCP + UDP | Game + HTTP endpoints | Default; set via endpoint_add_tcp and endpoint_add_udp in server.cfg. Both protocols required. |
| 40120 | TCP | txAdmin web panel | Default; change in txData config. Restrict access via Nginx + basic auth. |
| 30130 | TCP + UDP | Second server instance | Only if running multiple servers; increment by 10 |
Valheim uses three consecutive UDP ports starting from your configured base. All three must be open.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 2456 | UDP | Game traffic | Default; set via -port launch arg |
| 2457 | UDP | Communication | Always gameport + 1; auto-opened by server |
| 2458 | UDP | Steam query | Always gameport + 2; required for server listing |
Palworld dedicated servers use a single UDP port. RCON support was added in 0.2.x and requires a separate TCP port.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 8211 | UDP | Game traffic | Default; set via -port= launch arg |
| 25575 | TCP | RCON | Set RCONEnabled=True and RCONPort= in PalWorldSettings.ini |
Ports used by the server panels and tools we cover. Lock these behind a VPN or Nginx + basic auth — never expose to the public internet.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 22 | TCP | SSH | Change to a high port and use key-only auth. Disable root login. |
| 80 / 443 | TCP | HTTP / HTTPS | For Pterodactyl, Pelican, AMP web UIs, or FastDL. Terminate TLS via Nginx. |
| 8080 | TCP | Pterodactyl Wings / Pelican daemon | Wings API; proxy via Nginx with TLS. Never expose raw. |
| 2022 | TCP | Pterodactyl SFTP | Used by the game-file SFTP interface built into Wings/Pelican |
| 8443 | TCP | AMP web UI (default) | CubeCoders AMP panel; change in AMPConfig.conf |
| 3306 | TCP | MySQL / MariaDB | Bind to 127.0.0.1 only. Never expose to the internet. |
Copy-paste commands for the three firewalls you'll actually use. Replace PORT with your real port number.
# Check status
sudo ufw status verbose
# Open a single UDP port (e.g. Rust game port)
sudo ufw allow 28015/udp
# Open a single TCP port (e.g. Minecraft Java)
sudo ufw allow 25565/tcp
# Open a port range (e.g. ARK cluster)
sudo ufw allow 7777:7780/udp
# Open TCP + UDP on the same port (e.g. FiveM)
sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp
# Restrict a port to your IP only (best for RCON)
sudo ufw allow from YOUR.HOME.IP.HERE to any port 28017 proto tcp
# Remove a rule
sudo ufw delete allow 28015/udp
# Enable UFW (only after you've added SSH!)
sudo ufw allow 22/tcp
sudo ufw enable# Check current rules
sudo iptables -L -n -v
# Allow a single UDP port
sudo iptables -A INPUT -p udp --dport 28015 -j ACCEPT
# Allow a single TCP port
sudo iptables -A INPUT -p tcp --dport 25565 -j ACCEPT
# Allow a range
sudo iptables -A INPUT -p udp --dport 7777:7780 -j ACCEPT
# Allow RCON only from your home IP
sudo iptables -A INPUT -p tcp -s YOUR.HOME.IP.HERE --dport 28017 -j ACCEPT
# Save rules (Debian/Ubuntu - needs iptables-persistent)
sudo apt install iptables-persistent
sudo netfilter-persistent save
# Delete a rule (use same spec as when added, replace -A with -D)
sudo iptables -D INPUT -p udp --dport 28015 -j ACCEPT# Check status
sudo firewall-cmd --state
sudo firewall-cmd --list-all
# Open a single UDP port (permanent + live)
sudo firewall-cmd --permanent --add-port=28015/udp
sudo firewall-cmd --reload
# Open a TCP port
sudo firewall-cmd --permanent --add-port=25565/tcp
sudo firewall-cmd --reload
# Open a range
sudo firewall-cmd --permanent --add-port=7777-7780/udp
sudo firewall-cmd --reload
# Restrict RCON to your IP via rich rule
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="YOUR.HOME.IP.HERE" port port="28017" protocol="tcp" accept'
sudo firewall-cmd --reload
# Remove a port
sudo firewall-cmd --permanent --remove-port=28015/udp
sudo firewall-cmd --reload# Run PowerShell as Administrator
# Allow inbound UDP on a single port
New-NetFirewallRule -DisplayName "Rust Game UDP 28015" -Direction Inbound -Protocol UDP -LocalPort 28015 -Action Allow
# Allow inbound TCP
New-NetFirewallRule -DisplayName "Minecraft Java TCP 25565" -Direction Inbound -Protocol TCP -LocalPort 25565 -Action Allow
# Allow a port range
New-NetFirewallRule -DisplayName "ARK Cluster 7777-7780" -Direction Inbound -Protocol UDP -LocalPort 7777-7780 -Action Allow
# Restrict RCON by remote IP
New-NetFirewallRule -DisplayName "RCON from home" -Direction Inbound -Protocol TCP -LocalPort 28017 -RemoteAddress YOUR.HOME.IP.HERE -Action Allow
# List rules for a game
Get-NetFirewallRule -DisplayName "*Rust*" | Format-Table DisplayName, Enabled, Direction, Action
# Remove a rule
Remove-NetFirewallRule -DisplayName "Rust Game UDP 28015"Never expose RCON, MySQL, SSH on port 22, or admin panel ports directly to the internet. Put them behind a VPN (WireGuard is easy), an SSH tunnel, or Nginx with basic auth and a TLS cert. Your VPS provider's cloud firewall is only a first line of defense — always configure ufw/iptables/firewalld on the server itself.
Pick the right Hostinger KVM plan for your game and player count.
ToolExact heap size + Aikar's flags for your Minecraft server.
GuideSteamCMD and Windows Firewall setup, command by command.
PanelMulti-game panel with proper port mapping via Wings.