Game servers · 9 min read · Updated May 2026 · by Hostini Team

How to open MTA:SA firewall ports so the server shows online

Learn how to open the MTA:SA ports (22003, 22005, 22126) on the server firewall so it appears in the public list and accepts players.

You spun up the MTA:SA server, the console reports a clean startup, the process is listening on the right ports — but when you open the game client and browse the public list, your server simply doesn’t appear. In 9 out of 10 cases, the problem isn’t MTA itself, it’s the operating system firewall blocking the ports the master server needs to reach in order to register your server.

This tutorial shows how to open the right ports on the firewall (UFW, firewalld, and Windows Firewall) so the MTA:SA server appears in the public list and accepts connections. Estimated time: 10 to 15 minutes, including external verification.

The persona here is the server owner who already has MTA running and is comfortable with the command line, but is stuck on this last step of public exposure. We won’t cover the server install itself — only the firewall and the reason behind each port.

Prerequisites

Before touching the firewall, confirm the MTA server is actually running and listening on the ports. Otherwise you’ll be opening traffic to a process that doesn’t exist.

Prerequisites

Root or sudo access to the server (Linux), or Administrator (Windows). MTA:SA server installed and running, with mtaserver.conf configured. Know the server’s public IP for external testing. An MTA:SA client on another machine for final validation.

The default MTA:SA server ports that need to be reachable from outside are:

Game port 22003/UDP

Resource HTTP 22005/TCP

ASE (announce) 22126/UDP

The ASE port is calculated as serverport + 123. If you use the default 22003, ASE lands on 22126. If you switch to 23000, ASE becomes 23123. That relationship is fixed and cannot be decoupled.

Confirm ASE is enabled on the server

Opening the ASE port on the firewall only works if the MTA server is actually announcing to the master server. That behavior is controlled by a flag in the configuration file.

Open mtaserver.conf in the server folder (usually at mods/deathmatch/mtaserver.conf on Linux, or in the install root on Windows):

nano mods/deathmatch/mtaserver.conf

Look for the <ase> tag and confirm the value is 1:

<ase>1</ase>

If it’s set to 0, the server doesn’t announce to the master and won’t appear publicly even with the firewall open. Change it to 1 and save.

Confirm the main port and HTTP server in the same file:

<serverport>22003</serverport>
<httpport>22005</httpport>

If you changed these values, take note — you’ll open the custom ports instead of the defaults.

Restart the MTA server to apply any change in mtaserver.conf:

sudo systemctl restart mta-server

If you don’t use systemd, stop and start the process manually per your setup.

Open ports on UFW (Ubuntu/Debian)

UFW is the default firewall on Ubuntu and Debian. The syntax is straightforward and each rule is independent.

Check whether UFW is active before adding rules:

sudo ufw status verbose

If the output says Status: inactive, the firewall isn’t blocking anything and your problem is elsewhere (most likely the provider firewall or NAT). If it says active, continue.

Add rules for the three MTA ports:

sudo ufw allow 22003/udp comment 'MTA:SA game'
sudo ufw allow 22005/tcp comment 'MTA:SA HTTP'
sudo ufw allow 22126/udp comment 'MTA:SA ASE'

The comments are optional but help you remember the reason for each rule when auditing later with ufw status numbered.

Reload the rules and confirm:

sudo ufw reload
sudo ufw status numbered

The output should list the three rules as ALLOW IN. If you see Anywhere (v6) listed separately, that’s normal — UFW creates an IPv4 and an IPv6 entry for each rule.

Mind the rule order

If you have a sweeping deny rule on UFW (rare, but it happens in hardened setups), it can sit above the allow rules. Use sudo ufw status numbered to inspect the order and sudo ufw insert NUMBER allow ... to insert at the right position.

Open ports on firewalld (Rocky/AlmaLinux/CentOS)

Red Hat-based distributions use firewalld by default. The model is zone-oriented — you add ports to a zone, you don’t create loose rules.

Confirm firewalld is running:

sudo systemctl status firewalld

If it’s inactive, the firewall isn’t blocking anything via firewalld (raw iptables can still be in play, but that’s uncommon on clean installs).

Add the ports to the public zone permanently:

sudo firewall-cmd --permanent --zone=public --add-port=22003/udp
sudo firewall-cmd --permanent --zone=public --add-port=22005/tcp
sudo firewall-cmd --permanent --zone=public --add-port=22126/udp

The --permanent flag writes the rules to disk. Without it, the rules vanish on the next server reboot.

Reload to apply and confirm:

sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-ports

The --list-ports output should show 22003/udp 22005/tcp 22126/udp. If they don’t appear, you most likely forgot --permanent or you’re looking at the wrong zone — confirm with firewall-cmd --get-active-zones.

Open ports on Windows Firewall

If the MTA server runs on Windows, the default firewall is Windows Defender Firewall. The GUI works, but PowerShell is faster and more reproducible.

Open PowerShell as Administrator (right-click the PowerShell icon, “Run as administrator”).

Create the three inbound rules:

New-NetFirewallRule -DisplayName "MTA:SA Game" -Direction Inbound -Protocol UDP -LocalPort 22003 -Action Allow
New-NetFirewallRule -DisplayName "MTA:SA HTTP" -Direction Inbound -Protocol TCP -LocalPort 22005 -Action Allow
New-NetFirewallRule -DisplayName "MTA:SA ASE" -Direction Inbound -Protocol UDP -LocalPort 22126 -Action Allow

Each command returns an object describing the rule it created. No red error means it’s applied immediately — Windows Firewall does not need a reload.

Confirm by listing the new rules:

Get-NetFirewallRule -DisplayName "MTA:SA*" | Format-Table DisplayName, Enabled, Direction, Action

All three should appear with Enabled: True and Action: Allow.

Verify reachability from the outside

Opening the local firewall does not guarantee external access — there might be blocking in upper layers (datacenter firewall, router NAT, network ACL). The only reliable test is from outside the server.

From another machine (not the MTA server), install nmap:

sudo apt install -y nmap

On Windows, download it from nmap.org/download.

Test UDP on the game port and ASE — replace YOUR_IP with the server’s public IP:

sudo nmap -sU -p 22003,22126 YOUR_IP

UDP scan requires root (sudo) because it uses raw sockets. Expected results: open or open|filtered. If it comes back as plain filtered, blocking still exists somewhere.

Test TCP on the resource HTTP port:

nmap -p 22005 YOUR_IP

Expected result: open. If it comes back as closed, the MTA server isn’t listening on that port (check httpport in mtaserver.conf). If it comes back as filtered, a firewall is still blocking somewhere along the path.

Troubleshooting

Server shows offline in the list even with ports open

Wait 5 to 10 minutes after opening the ports — the MTA master server has a polling interval. If after that window it still doesn’t appear, open the MTA client and use “Add server manually” with YOUR_IP:22003. If you can connect manually but the server still won’t appear in the public list, the issue is specifically with ASE (port 22126 or the <ase>0</ase> flag).

nmap returns “filtered” but the local firewall is open

There is an upstream firewall or ACL. On home servers, configure port forwarding on the router. On provider VPS or dedicated boxes, check whether the provider panel has a network firewall enabled — some providers apply a network-layer firewall separate from the OS firewall.

Server shows up but players can’t download resources on connect

This symptom is specific: TCP 22005 is blocked. Clients connect (UDP 22003 works) but the transfer of scripts and models fails. Confirm you opened the TCP port separately — it isn’t bundled with the UDP one in any of the firewalls covered here.

Next steps

With the ports open and the server appearing publicly, consider:

Setting rate limit rules on the firewall to mitigate fake ASE query floods
Documenting the IP and ports in a runbook for future troubleshooting
Enabling MTA connection logs to correlate with firewall traffic
Evaluating dedicated DDoS protection if the server grows and starts attracting unwanted attention

If you’re running MTA:SA in production and want to avoid headaches with firewall, NAT, and volumetric attack protection, the game hosting plans from Hostini already ship with pre-configured firewall for MTA:SA and DDoS protection enabled by default.

Frequently asked questions

Which exact MTA:SA ports do I need to open on the firewall?

By default you need three ports: 22003/UDP (the main game port), 22005/TCP (the internal HTTP server for resource downloads), and 22126/UDP (ASE — the announcement that registers the server in the public list). If you customized these ports in mtaserver.conf, open the matching values instead.

What is the ASE port and why is it required to show up online?

ASE stands for All-Seeing Eye — it's the query protocol the MTA master server uses to register your server in the public list and respond to client queries. Without the ASE port reachable (22126/UDP by default), the server can be running perfectly and still remain invisible in the in-game list.

I opened the ports on UFW but the server still doesn't appear — what could be wrong?

Three common causes: (1) there's an upstream firewall at the provider or router also blocking, (2) the 'ase' option is not enabled in mtaserver.conf, or (3) the server sits behind NAT without port forwarding. Test with nmap -sU -p 22126 YOUR_IP from outside the network to confirm.

Do I need to open TCP or UDP ports for MTA:SA?

Both. The main game traffic (22003) and ASE (22126) are UDP because they're low-latency protocols. The internal HTTP server (22005) is TCP because it transfers resource files to clients on connect. Opening only one of the two leaves the server partially functional.

How do I change the default MTA:SA ports if they are already in use?

Edit the mtaserver.conf file in the server folder and adjust the <serverport> and <httpport> parameters — ASE is then calculated as serverport+123. Restart the server and open the new ports on the firewall. Keep in mind that players will need to type the custom port on connect if it's not the default.

Is it safe to open these ports directly to the internet?

Yes — they're game application ports designed for public traffic. The real risk lives in administrative ports such as SSH (22) or the server's web panel. Keep a restrictive firewall on administrative ports and open only the ports strictly required for the game to work.

Topics:

mta firewall

Next steps VPS, dedicated or managed panel for FiveM, SAMP, MTA, Tibia and more.Host your game server with Hostini →

Was this tutorial helpful?