Every port you need to open for every game we cover, with ready-to-paste ufw, iptables, and Windows Firewall commands. Bookmark this page — you'll come back to it.
Rust uses a single UDP port for gameplay and an optional RCON port. The query port for the server browser is gameport + 1 unless overridden.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 28015 | UDP | Game traffic | Default; change via +server.port |
| 28016 | UDP | Server query (A2S_INFO) | Auto-opened by server; Steam master list uses this |
| 28017 | TCP | RCON + WebSocket | Optional; set via +rcon.port. Use only over VPN or bind to localhost. |
| 28082 | TCP | App server (Rust+ companion) | Only if using Rust+ mobile app integration |
Java Edition defaults to TCP 25565. Bedrock uses UDP 19132. Query and RCON are optional but common.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 25565 | TCP | Minecraft Java Edition | Default; set via server-port in server.properties |
| 25575 | TCP | RCON (Java) | Enable via enable-rcon=true; password required |
| 25565 | UDP | Query protocol (Java) | Enable via enable-query=true; used by server listings |
| 19132 | UDP | Minecraft Bedrock (IPv4) | Default; set via server-port in Bedrock config |
| 19133 | UDP | Minecraft Bedrock (IPv6) | Default; set via server-portv6 |
ARK requires three UDP ports per instance: game, Steam query, and RCON (TCP). Clusters need all three per map.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | UDP | Game traffic | Default; set via ?Port= launch arg |
| 7778 | UDP | Raw UDP socket | Always gameport + 1; must be open even if unused |
| 27015 | UDP | Steam query | Set via ?QueryPort=; required for server browser |
| 32330 | TCP | RCON | Set via ?RCONPort=; enable ?RCONEnabled=True |
CS2 uses a single UDP port for gameplay and SourceTV. TCP RCON is optional. Multiple instances increment the base port.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 27015 | UDP | Game traffic | Default; set via -port launch arg |
| 27015 | TCP | RCON | Set rcon_password in server.cfg; only expose over VPN |
| 27020 | UDP | SourceTV / HLTV | Set via +tv_port; only if broadcasting |
| 27005 | UDP | Client-side outbound | Not server-side; listed for completeness |
Identical port layout to CS2 — both are Source engine. TF2 also needs HTTP for FastDL if self-hosting assets.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 27015 | UDP | Game traffic | Default; set via -port |
| 27015 | TCP | RCON | Requires rcon_password in server.cfg |
| 27020 | UDP | SourceTV | Optional; set via +tv_port |
| 80 / 443 | TCP | FastDL (HTTP / HTTPS) | Only if self-hosting maps/sounds via nginx. See our FastDL guide. |
FiveM and RedM (Cfx.re) use a single TCP/UDP pair. TCP handles HTTP endpoints; UDP handles game traffic. txAdmin runs on its own TCP port.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 30120 | TCP + UDP | Game + HTTP endpoints | Default; set via endpoint_add_tcp and endpoint_add_udp in server.cfg. Both protocols required. |
| 40120 | TCP | txAdmin web panel | Default; change in txData config. Restrict access via Nginx + basic auth. |
| 30130 | TCP + UDP | Second server instance | Only if running multiple servers; increment by 10 |
Valheim uses three consecutive UDP ports starting from your configured base. All three must be open.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 2456 | UDP | Game traffic | Default; set via -port launch arg |
| 2457 | UDP | Communication | Always gameport + 1; auto-opened by server |
| 2458 | UDP | Steam query | Always gameport + 2; required for server listing |
Palworld dedicated servers use a single UDP port. RCON support was added in 0.2.x and requires a separate TCP port.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 8211 | UDP | Game traffic | Default; set via -port= launch arg |
| 25575 | TCP | RCON | Set RCONEnabled=True and RCONPort= in PalWorldSettings.ini |
Windrose has two modes: Mode A (UPnP) needs no manual port forwarding, Mode B (DirectConnection) requires TCP and UDP on the same port. Default is 7777, configurable via DirectConnectionServerPort in ServerDescription.json. See our Windrose setup guide.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | TCP | Game traffic (Mode B) | Required only for UseDirectConnection: true. Set via DirectConnectionServerPort. |
| 7777 | UDP | Game traffic (Mode B) | Required only for UseDirectConnection: true. Same port number as TCP. |
7 Days to Die uses TCP for the gameplay socket and a small UDP range for game traffic. The Telnet admin port is on TCP 8081 by default — never expose it publicly.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 26900 | TCP | Server socket | Default; set via ServerPort in serverconfig.xml |
| 26900-26902 | UDP | Game traffic | Always ServerPort through ServerPort + 2. All three required. |
| 8080 | TCP | Web dashboard | Optional; set ControlPanelEnabled="true". Restrict to admin IPs only. |
| 8081 | TCP | Telnet admin | Optional but dangerous — bind to localhost or VPN only. |
Zomboid uses one base UDP port for the master, plus one additional UDP port per player slot. Open a contiguous range from the base port through base + MaxPlayers.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 16261 | UDP | Server master / login | Default; set via DefaultPort in servertest.ini |
| 16262-16322 | UDP | Per-player slots | Open one extra port per slot starting at DefaultPort + 1. For 60 players: 16262-16321. |
Conan Exiles is built on Unreal Engine and uses the same port pattern as ARK: a game port, a raw socket port (gameport + 1), and a Steam query port. RCON is set in the engine ini files.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | UDP | Game traffic | Default; set via ?Port= launch arg |
| 7778 | UDP | Raw UDP socket | Always gameport + 1; must be open even if unused |
| 27015 | UDP | Steam query | Set via ?QueryPort=; required for server browser |
| 25575 | TCP | RCON | Set RconEnabled=True and RconPort= in ServerSettings.ini. Restrict to admin IPs. |
GMod is built on the Source engine and uses the same port pattern as CS2 / TF2: one UDP port for game traffic and the same number on TCP for optional RCON.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 27015 | UDP | Game traffic + Steam query | Default; set via -port launch arg |
| 27015 | TCP | RCON | Set rcon_password in server.cfg. Same port number as game UDP. Restrict to VPN. |
| 27005 | UDP | Client outbound | Not server-side; listed for completeness |
Mordhau is on Unreal Engine and uses three UDP ports: game traffic, the beacon port (server discovery), and Steam query. All three must be open.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | UDP | Game traffic | Default; set via Port= in Game.ini |
| 15000 | UDP | Beacon (server discovery) | Set via BeaconPort=; required for server list |
| 27015 | UDP | Steam query | Set via QueryPort=; required for server browser |
Squad uses four ports: a non-standard game port, a query port, a beacon port, and an RCON TCP port. The default game port is 7787 (not 7777) — a frequent setup gotcha.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7787 | UDP | Game traffic | Default; set via Port=. Note: not 7777. |
| 27165 | UDP | Steam query | Set via QueryPort=; required for server browser |
| 15000 | UDP | Beacon | Set via BeaconPort=; required for server discovery |
| 21114 | TCP | RCON | Set RCON.Port= and RCON.Password= in Rcon.cfg. Restrict to admin IPs only. |
Pavlov VR uses two UDP ports for game traffic and an additional UDP port for Steam query. RCON is configured separately and is optional.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | UDP | Game traffic | Default; set via Port= in Game.ini |
| 7778 | UDP | Raw socket | Always gameport + 1; auto-opened by server |
| 27015 | UDP | Steam query | Set via QueryPort=; required for server browser |
| 9100 | TCP | RCON (optional) | Set in RconSettings.txt. Restrict to admin IPs. |
DST runs the master shard on UDP 10999 and each additional shard (typically the Caves) on its own UDP port. Steam authentication uses 8766. Master and shards must reach each other on the LAN side.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 10999 | UDP | Master shard (Forest) | Default; set via server_port in Master/server.ini |
| 10998 | UDP | Caves shard | Default; set via server_port in Caves/server.ini |
| 8766 | UDP | Steam authentication | Required for player connections; set authentication_port in cluster.ini |
| 8768 | UDP | Steam master server | Required for server listing; set master_server_port in cluster.ini |
Sons of the Forest uses a Steam authentication port, a query port, and a separate game port. All three UDP ports are required for clients to connect and discover the server.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 8766 | UDP | Steam authentication | Default; set via GamePort in dedicatedserver.cfg |
| 27016 | UDP | Steam query | Default; set via QueryPort |
| 9700 | UDP | Game traffic | Default; set via GameNetworkPort |
V Rising uses two adjacent UDP ports — one for game traffic, one for Steam query. Both must be open for the server to appear in the public list.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 9876 | UDP | Game traffic | Default; set via Port in ServerHostSettings.json |
| 9877 | UDP | Steam query | Default; set via QueryPort; required for server browser |
Since the 1.0 release (September 2024), Satisfactory dedicated servers consolidated to a single UDP port (default 7777). Older guides referencing 15777 / 15000 / 7777 are obsolete.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | UDP | Game traffic + query (1.0+) | Default since 1.0; set via ?Port= launch arg or ServerGamePort in Engine.ini. Single port handles everything. |
Unturned uses three contiguous UDP ports starting at the base port: game traffic, query, and the RakNet protocol used for matchmaking.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 27015 | UDP | Game traffic | Default; set via Port in Commands.dat |
| 27016 | UDP | Steam query | Always Port + 1; auto-opened by server |
| 27017 | UDP | RakNet matchmaking | Always Port + 2; required for the server browser |
Terraria is one of the simplest games to host: a single TCP port, no UDP, no query protocol. The vanilla server has no built-in RCON — use TShock if you need remote admin tools.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 7777 | TCP | Game traffic | Default; set via -port launch arg or port= in serverconfig.txt |
| 7878 | TCP | TShock REST API (optional) | Only if running TShock; set in config.json. Bind to localhost or VPN. |
Factorio uses a single UDP port for gameplay. RCON is opt-in via launch flags and uses a separate TCP port that you choose yourself.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 34197 | UDP | Game traffic | Default; set via --port or game-port in server-settings.json |
| custom | TCP | RCON (optional) | No default — enable with --rcon-port <PORT> --rcon-password <PASSWORD>. Restrict to admin IPs. |
Ports used by the server panels and tools we cover. Lock these behind a VPN or Nginx + basic auth — never expose to the public internet.
| Port | Protocol | Purpose | Notes |
|---|---|---|---|
| 22 | TCP | SSH | Change to a high port and use key-only auth. Disable root login. |
| 80 / 443 | TCP | HTTP / HTTPS | For Pterodactyl, Pelican, AMP web UIs, or FastDL. Terminate TLS via Nginx. |
| 8080 | TCP | Pterodactyl Wings / Pelican daemon | Wings API; proxy via Nginx with TLS. Never expose raw. |
| 2022 | TCP | Pterodactyl SFTP | Used by the game-file SFTP interface built into Wings/Pelican |
| 8443 | TCP | AMP web UI (default) | CubeCoders AMP panel; change in AMPConfig.conf |
| 3306 | TCP | MySQL / MariaDB | Bind to 127.0.0.1 only. Never expose to the internet. |
Copy-paste commands for the three firewalls you'll actually use. Replace PORT with your real port number.
# Check status
sudo ufw status verbose
# Open a single UDP port (e.g. Rust game port)
sudo ufw allow 28015/udp
# Open a single TCP port (e.g. Minecraft Java)
sudo ufw allow 25565/tcp
# Open a port range (e.g. ARK cluster)
sudo ufw allow 7777:7780/udp
# Open TCP + UDP on the same port (e.g. FiveM)
sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp
# Restrict a port to your IP only (best for RCON)
sudo ufw allow from YOUR.HOME.IP.HERE to any port 28017 proto tcp
# Remove a rule
sudo ufw delete allow 28015/udp
# Enable UFW (only after you've added SSH!)
sudo ufw allow 22/tcp
sudo ufw enable# Check current rules
sudo iptables -L -n -v
# Allow a single UDP port
sudo iptables -A INPUT -p udp --dport 28015 -j ACCEPT
# Allow a single TCP port
sudo iptables -A INPUT -p tcp --dport 25565 -j ACCEPT
# Allow a range
sudo iptables -A INPUT -p udp --dport 7777:7780 -j ACCEPT
# Allow RCON only from your home IP
sudo iptables -A INPUT -p tcp -s YOUR.HOME.IP.HERE --dport 28017 -j ACCEPT
# Save rules (Debian/Ubuntu - needs iptables-persistent)
sudo apt install iptables-persistent
sudo netfilter-persistent save
# Delete a rule (use same spec as when added, replace -A with -D)
sudo iptables -D INPUT -p udp --dport 28015 -j ACCEPT# Check status
sudo firewall-cmd --state
sudo firewall-cmd --list-all
# Open a single UDP port (permanent + live)
sudo firewall-cmd --permanent --add-port=28015/udp
sudo firewall-cmd --reload
# Open a TCP port
sudo firewall-cmd --permanent --add-port=25565/tcp
sudo firewall-cmd --reload
# Open a range
sudo firewall-cmd --permanent --add-port=7777-7780/udp
sudo firewall-cmd --reload
# Restrict RCON to your IP via rich rule
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="YOUR.HOME.IP.HERE" port port="28017" protocol="tcp" accept'
sudo firewall-cmd --reload
# Remove a port
sudo firewall-cmd --permanent --remove-port=28015/udp
sudo firewall-cmd --reload# Run PowerShell as Administrator
# Allow inbound UDP on a single port
New-NetFirewallRule -DisplayName "Rust Game UDP 28015" -Direction Inbound -Protocol UDP -LocalPort 28015 -Action Allow
# Allow inbound TCP
New-NetFirewallRule -DisplayName "Minecraft Java TCP 25565" -Direction Inbound -Protocol TCP -LocalPort 25565 -Action Allow
# Allow a port range
New-NetFirewallRule -DisplayName "ARK Cluster 7777-7780" -Direction Inbound -Protocol UDP -LocalPort 7777-7780 -Action Allow
# Restrict RCON by remote IP
New-NetFirewallRule -DisplayName "RCON from home" -Direction Inbound -Protocol TCP -LocalPort 28017 -RemoteAddress YOUR.HOME.IP.HERE -Action Allow
# List rules for a game
Get-NetFirewallRule -DisplayName "*Rust*" | Format-Table DisplayName, Enabled, Direction, Action
# Remove a rule
Remove-NetFirewallRule -DisplayName "Rust Game UDP 28015"Never expose RCON, MySQL, SSH on port 22, or admin panel ports directly to the internet. Put them behind a VPN (WireGuard is easy), an SSH tunnel, or Nginx with basic auth and a TLS cert. Your VPS provider's cloud firewall is only a first line of defense — always configure ufw/iptables/firewalld on the server itself.
Pick the right Hostinger KVM plan for your game and player count.
ToolExact heap size + Aikar's flags for your Minecraft server.
GuideSteamCMD and Windows Firewall setup, command by command.
PanelMulti-game panel with proper port mapping via Wings.
GuideFull Cfx.re configuration and txAdmin walkthrough for Red Dead Redemption 2 multiplayer.