Using Google Chromecast from Fedora 19

Using Chrome’s Google Cast with the Google Chromecast from an IPTables-enabled Linux distribution can be a bit tricky.

The extension starts by issuing an SSDP request from a local ephemeral UDP port to 239.255.255.250 port 1900.  The Chromecast will respond from its IP and another ephemeral UDP port, back to your source UDP port.

IPTables cannot track this simply as “RELATED”, given that the target of the first packet is the multicast address, while the source of the response packet is the Chromecast’s IP.  And unfortunately, there is no SSDP conntrack module (at least, not that I am aware of, at the time of writing this post).

Therefore, the best we can do for now is to open the ephemeral port range on the client machine.  The list of ephemeral ports, as defined by your Linux machine, can be found by:

cat /proc/sys/net/ipv4/ip_local_port_range

Fedora19 uses firewalld, so you will want to use the following:

firewall-cmd --permanent --add-port=32768-61000/udp
firewall-cmd --reload

Given the wide range of ports being opened, you may want to restrict access to just your local network. Consider using Network Manager to associate your NIC (eth0,wlan0, whatever) with your “home” zone, and use the following command instead of the above:

firewall-cmd --permanent --zone=home --add-port=32768-61000/udp

On non-firewalld systems, use this IPTables one-liner (modifying 192.168.0.0/24 as appropriate for your home network):

iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT

Launch Chrome, click the Cast extensions, and it should now “Just Work”.  And if it doesn’t …. please let me know in the comments on this post.

UPDATE 20150803 – A few additional notes inspired by the great comment from mauriciograciag:

Note the use of the “–zone=home” parameter in the second firewall-cmd example above.  This can be a more secure option, but does require ensuring that you have a zone named “home”, and that Network Manager associates your active network profile with this zone.  If the Network Manager configuration is in place, I do recommend using that option for those working from systems (laptops) that might also find themselves on alternate networks.  However, for desktops that will not be connected to other networks, use of a zone will likely not add any tangible benefits.

If you set these rules via firewall-cmd and wish to revert them, the following should do the trick:

firewall-cmd –permanent –remove-port=32768-61000/udp
firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp
firewall-cmd –reload

And lastly, note that the iptables rule must be run as root. Typically, this will be done by updating the iptables startup configuration for your favorite Linux distribution (e.g., you may need to add that line to /etc/iptables); but you might also want to run this a single time, non-persistently, from the command line.  If you have configured sudo appropriately on your Linux systems, preceding the iptables command with “sudo” would work as follows:

sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT

35 thoughts on “Using Google Chromecast from Fedora 19

  1. I haven’t been able to get this to work for me. It still can’t see the Chromecast. I’ve got Fedora 19 and I can see the Chromecast from my Galaxy S3 and from my Kindle Fire HD.

    Like

    1. Another commenter caught one additional necessary step – please see if “firewall-cmd –reload” helps. If not, just as a sanity check, please try (temporarily) disabling your firewall and trying the Cast extension again. If that doesn’t work, then the issue lies somewhere other than your firewall.

      Like

  2. Works, as long as you do

    firewall-cmd –reload

    after adding the ports using firewall-cmd.

    Thanks for the help.

    Like

  3. I got the chromecast working from my android devices, but this solution did not work for me. It’s getting late and my mind is a bit fuzzy. I’ll try again tomorrow.

    Like

  4. Excellent post. Also of note you can use the zone features of firewalld so that you only open this up inside your home. I ran the following command

    firewall-cmd –permanent –zone=home –add-port=”32768-61000/udp”

    And then configured my home wifi to use this firewall zone through NetworkManager.

    Like

    1. Absolutely right, I’m always one for increased security – especially when opening such a wide range of ports! Post updates to note your feedback – thank you!

      Like

  5. I couldn’t get this to work all the way. The first time I had an SELinux error, so I ran the following:

    # grep sh /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Then I ran this:

    # firewall-cmd –permanent –zone=home –add-port=”32768-61000/udp”

    The terminal hangs on the last command — I don’t get the prompt back.

    Ideas?

    Like

    1. Please try again, without the double-quotes around the range. Not sure where I picked those up from, but I can confirm the behavior you are seeing, and can confirm it works correctly without the quotes.

      I have corrected the post too.

      Thanks for catching this!

      Like

  6. That worked!

    In this order:

    # grep sh /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp
    # firewall-cmd --permanent --zone=home --add-port=32768-61000/udp
    # firewall-cmd --reload

    Thanks for the help.

    Like

  7. I’m on Fedora 20, and this did not work for me. I ran “firewall-cmd –permanent –zone=home –add-port=32768-61000/udp” with the reload after. Works from my tablet. Any reason this doesn’t work with 20?

    Like

      1. Well home is there, but I’m not sure how I need to set it up. I opened the ports temporarily on public, and it worked. Do I need to add my Chromecast to the home zone somehow?

        Like

      2. Check out the “interfaces” in the “home” zone. You’ll want to make sure your NIC (e.g., eth0, wlan0) belongs to “home”.

        Alternatively, public is fine too – all depends on how you want your firewall security configured. ” public” means all the networks connected to your computer have access, “home” means only the networks connected to the listed interfaces have access. For most people at home, these two models are the same.

        Like

      3. Well I tried adding my wifi card interface (wlp4s0) to home permanent, but that didn’t work, and now for some reason I can’t remove the interface from there. I also tried opening the ports under public permanent, but that didn’t work. Only seems to work when I open them in runtime public, which resets on reboot, correct? Any ideas?

        Like

      4. Make sure to run the “–reload” for permanent changes to take effect immediately (I.e., that makes the rules you set for permanent application be applied to the current runtime)

        Like

      5. Still doesn’t work, but I think I figured out why. My card interface is still listed under public runtime, and I think that’s stealing control from home permanent. I’m not able to remove the network card from the public runtime interface, but I am able to move it to home runtime interface, and it works then. Any idea how I can stop public runtime from grabbing my card interface?

        Like

      6. A couple things:
        “Runtime” represents how things are running, right this very moment.
        “Permanent” represents what is stored in the config files. This might not yet have taken effect (that is, become “runtime”), but it will take affect the next time you “reload” the firewarell, or reboot the box.

        So, to make sure your interface stays in the “home” zone, you’ll want to configure that under the “permanent” settings. But, even better — go into “Settings”->”Network”, click the gear icon for your NIC, select the “Identity” option on the left, and change the firewall zone for your NIC to home. That will set this as your permanent zone for the NIC, and will take affect next time you reload, reconnect, or reboot — I’d recommend just rebooting for simplicity.

        Like

  8. IMHO

    you need to to include a SUDO to the IPTABLES command

    sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp –dport 32768:61000 -j ACCEPT

    And other improvements for this post are

    Mention the most secure option first
    firewall-cmd –permanent –zone=home –add-port=32768-61000/udp

    and then mention that if after trying this it still does not work then you should try the other commands

    firewall-cmd –permanent –add-port=32768-61000/udp

    If someone added all this new rules and did not work or just wants to reverse them to avoid security issues execute this commands

    firewall-cmd –permanent –remove-port=32768-61000/udp
    firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp
    firewall-cmd –reload

    Like

      1. Thanks Matt. How about the chromcast setup tool (that is used for the first time setup o reconfiguration) can that also be installed in Fedora 22 ?

        Like

      2. You know, I’ve always just used the Android app (I don’t think there was any other way back when I ordered mine, part of the first batch) ! If you have any directions, I’d be happy to reference them.

        Liked by 1 person

    1. I don’t use Ubuntu very often, but is the firewall enabled by default, and does it block the high numbered ports by default? If it is not enabled, then this does not need to be done.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s