Using Chrome’s Google Cast with the Google Chromecast from an IPTables-enabled Linux distribution can be a bit tricky.
The extension starts by issuing an SSDP request from a local ephemeral UDP port to 239.255.255.250 port 1900. The Chromecast will respond from its IP and another ephemeral UDP port, back to your source UDP port.
IPTables cannot track this simply as “RELATED”, given that the target of the first packet is the multicast address, while the source of the response packet is the Chromecast’s IP. And unfortunately, there is no SSDP conntrack module (at least, not that I am aware of, at the time of writing this post).
Therefore, the best we can do for now is to open the ephemeral port range on the client machine. The list of ephemeral ports, as defined by your Linux machine, can be found by:
cat /proc/sys/net/ipv4/ip_local_port_range
Fedora19 uses firewalld, so you will want to use the following:
firewall-cmd --permanent --add-port=32768-61000/udp firewall-cmd --reload
Given the wide range of ports being opened, you may want to restrict access to just your local network. Consider using Network Manager to associate your NIC (eth0,wlan0, whatever) with your “home” zone, and use the following command instead of the above:
firewall-cmd --permanent --zone=home --add-port=32768-61000/udp
On non-firewalld systems, use this IPTables one-liner (modifying 192.168.0.0/24 as appropriate for your home network):
iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT
Launch Chrome, click the Cast extensions, and it should now “Just Work”. And if it doesn’t …. please let me know in the comments on this post.
UPDATE 20150803 – A few additional notes inspired by the great comment from mauriciograciag:
Note the use of the “–zone=home” parameter in the second firewall-cmd example above. This can be a more secure option, but does require ensuring that you have a zone named “home”, and that Network Manager associates your active network profile with this zone. If the Network Manager configuration is in place, I do recommend using that option for those working from systems (laptops) that might also find themselves on alternate networks. However, for desktops that will not be connected to other networks, use of a zone will likely not add any tangible benefits.
If you set these rules via firewall-cmd and wish to revert them, the following should do the trick:
firewall-cmd –permanent –remove-port=32768-61000/udp firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp firewall-cmd –reload
And lastly, note that the iptables rule must be run as root. Typically, this will be done by updating the iptables startup configuration for your favorite Linux distribution (e.g., you may need to add that line to /etc/iptables); but you might also want to run this a single time, non-persistently, from the command line. If you have configured sudo appropriately on your Linux systems, preceding the iptables command with “sudo” would work as follows:
sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT
I haven’t been able to get this to work for me. It still can’t see the Chromecast. I’ve got Fedora 19 and I can see the Chromecast from my Galaxy S3 and from my Kindle Fire HD.
Another commenter caught one additional necessary step – please see if “firewall-cmd –reload” helps. If not, just as a sanity check, please try (temporarily) disabling your firewall and trying the Cast extension again. If that doesn’t work, then the issue lies somewhere other than your firewall.
Works, as long as you do
firewall-cmd –reload
after adding the ports using firewall-cmd.
Thanks for the help.
Good catch – updated. Thank you!
Got it to work. It works great now. Thanks for your help! 🙂
This did it for me, working perfect now. Thanks to you and the OP.
I got the chromecast working from my android devices, but this solution did not work for me. It’s getting late and my mind is a bit fuzzy. I’ll try again tomorrow.
Thank you good sir…. I was running out of Ideas…
Thanks very much for this. I had almost given up on getting it to work with my Fedora laptop.
I would hug you if I could. This has been bugging me forever…
Excellent post. Also of note you can use the zone features of firewalld so that you only open this up inside your home. I ran the following command
firewall-cmd –permanent –zone=home –add-port=”32768-61000/udp”
And then configured my home wifi to use this firewall zone through NetworkManager.
Absolutely right, I’m always one for increased security – especially when opening such a wide range of ports! Post updates to note your feedback – thank you!
I couldn’t get this to work all the way. The first time I had an SELinux error, so I ran the following:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Then I ran this:
# firewall-cmd –permanent –zone=home –add-port=”32768-61000/udp”
The terminal hangs on the last command — I don’t get the prompt back.
Ideas?
Please try again, without the double-quotes around the range. Not sure where I picked those up from, but I can confirm the behavior you are seeing, and can confirm it works correctly without the quotes.
I have corrected the post too.
Thanks for catching this!
That worked!
In this order:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# firewall-cmd --permanent --zone=home --add-port=32768-61000/udp
# firewall-cmd --reload
Thanks for the help.
Thanks Matt, the two “firewall-cmd” commands worked like a charm! Cheers!
these directions worked for me on rhel-7 beta. thanks!
I’m on Fedora 20, and this did not work for me. I ran “firewall-cmd –permanent –zone=home –add-port=32768-61000/udp” with the reload after. Works from my tablet. Any reason this doesn’t work with 20?
You may want to check (using the firewalld GUI) that the zone “home” is the right zone.
Well home is there, but I’m not sure how I need to set it up. I opened the ports temporarily on public, and it worked. Do I need to add my Chromecast to the home zone somehow?
Check out the “interfaces” in the “home” zone. You’ll want to make sure your NIC (e.g., eth0, wlan0) belongs to “home”.
Alternatively, public is fine too – all depends on how you want your firewall security configured. ” public” means all the networks connected to your computer have access, “home” means only the networks connected to the listed interfaces have access. For most people at home, these two models are the same.
Well I tried adding my wifi card interface (wlp4s0) to home permanent, but that didn’t work, and now for some reason I can’t remove the interface from there. I also tried opening the ports under public permanent, but that didn’t work. Only seems to work when I open them in runtime public, which resets on reboot, correct? Any ideas?
Make sure to run the “–reload” for permanent changes to take effect immediately (I.e., that makes the rules you set for permanent application be applied to the current runtime)
Still doesn’t work, but I think I figured out why. My card interface is still listed under public runtime, and I think that’s stealing control from home permanent. I’m not able to remove the network card from the public runtime interface, but I am able to move it to home runtime interface, and it works then. Any idea how I can stop public runtime from grabbing my card interface?
A couple things:
“Runtime” represents how things are running, right this very moment.
“Permanent” represents what is stored in the config files. This might not yet have taken effect (that is, become “runtime”), but it will take affect the next time you “reload” the firewarell, or reboot the box.
So, to make sure your interface stays in the “home” zone, you’ll want to configure that under the “permanent” settings. But, even better — go into “Settings”->”Network”, click the gear icon for your NIC, select the “Identity” option on the left, and change the firewall zone for your NIC to home. That will set this as your permanent zone for the NIC, and will take affect next time you reload, reconnect, or reboot — I’d recommend just rebooting for simplicity.
That did it. Thanks very much for all the help. 🙂
Very goog! greatful!
IMHO
you need to to include a SUDO to the IPTABLES command
sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp –dport 32768:61000 -j ACCEPT
And other improvements for this post are
Mention the most secure option first
firewall-cmd –permanent –zone=home –add-port=32768-61000/udp
and then mention that if after trying this it still does not work then you should try the other commands
firewall-cmd –permanent –add-port=32768-61000/udp
If someone added all this new rules and did not work or just wants to reverse them to avoid security issues execute this commands
firewall-cmd –permanent –remove-port=32768-61000/udp
firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp
firewall-cmd –reload
Hi mauriciograciag, thank you for the great feedback. I have added a short update to address your points.
Thanks Matt. How about the chromcast setup tool (that is used for the first time setup o reconfiguration) can that also be installed in Fedora 22 ?
You know, I’ve always just used the Android app (I don’t think there was any other way back when I ordered mine, part of the first batch) ! If you have any directions, I’d be happy to reference them.
Funny when Google brings you to a useful page and then you look up and say “I know that guy”. Thanks Matt. This got my Chormecast working on my RHEL7.2 laptop.
This tip save a lot of my time. Thanks a lot!
However, curious about why this obstacle only happen on CentOS not yet Ubuntu.
I don’t use Ubuntu very often, but is the firewall enabled by default, and does it block the high numbered ports by default? If it is not enabled, then this does not need to be done.