Using Google Chromecast from Fedora 19

Using Chrome’s Google Cast with the Google Chromecast from an IPTables-enabled Linux distribution can be a bit tricky.

The extension starts by issuing an SSDP request from a local ephemeral UDP port to 239.255.255.250 port 1900.  The Chromecast will respond from its IP and another ephemeral UDP port, back to your source UDP port.

IPTables cannot track this simply as “RELATED”, given that the target of the first packet is the multicast address, while the source of the response packet is the Chromecast’s IP.  And unfortunately, there is no SSDP conntrack module (at least, not that I am aware of, at the time of writing this post).

Therefore, the best we can do for now is to open the ephemeral port range on the client machine.  The list of ephemeral ports, as defined by your Linux machine, can be found by:

cat /proc/sys/net/ipv4/ip_local_port_range

Fedora19 uses firewalld, so you will want to use the following:

firewall-cmd --permanent --add-port=32768-61000/udp
firewall-cmd --reload

Given the wide range of ports being opened, you may want to restrict access to just your local network. Consider using Network Manager to associate your NIC (eth0,wlan0, whatever) with your “home” zone, and use the following command instead of the above:

firewall-cmd --permanent --zone=home --add-port=32768-61000/udp

On non-firewalld systems, use this IPTables one-liner (modifying 192.168.0.0/24 as appropriate for your home network):

iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT

Launch Chrome, click the Cast extensions, and it should now “Just Work”.  And if it doesn’t …. please let me know in the comments on this post.

UPDATE 20150803 – A few additional notes inspired by the great comment from mauriciograciag:

Note the use of the “–zone=home” parameter in the second firewall-cmd example above.  This can be a more secure option, but does require ensuring that you have a zone named “home”, and that Network Manager associates your active network profile with this zone.  If the Network Manager configuration is in place, I do recommend using that option for those working from systems (laptops) that might also find themselves on alternate networks.  However, for desktops that will not be connected to other networks, use of a zone will likely not add any tangible benefits.

If you set these rules via firewall-cmd and wish to revert them, the following should do the trick:

firewall-cmd –permanent –remove-port=32768-61000/udp
firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp
firewall-cmd –reload

And lastly, note that the iptables rule must be run as root. Typically, this will be done by updating the iptables startup configuration for your favorite Linux distribution (e.g., you may need to add that line to /etc/iptables); but you might also want to run this a single time, non-persistently, from the command line.  If you have configured sudo appropriately on your Linux systems, preceding the iptables command with “sudo” would work as follows:

sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT
Advertisements

,

  1. #1 by Brian Hartman on 2013-09-03 18:56:56 EST - 2013-09-03T18:56:56+00:00

    I haven’t been able to get this to work for me. It still can’t see the Chromecast. I’ve got Fedora 19 and I can see the Chromecast from my Galaxy S3 and from my Kindle Fire HD.

    • #2 by Matt on 2013-09-03 22:18:29 EST - 2013-09-03T22:18:29+00:00

      Another commenter caught one additional necessary step – please see if “firewall-cmd –reload” helps. If not, just as a sanity check, please try (temporarily) disabling your firewall and trying the Cast extension again. If that doesn’t work, then the issue lies somewhere other than your firewall.

  2. #3 by Mark on 2013-09-03 21:43:27 EST - 2013-09-03T21:43:27+00:00

    Works, as long as you do

    firewall-cmd –reload

    after adding the ports using firewall-cmd.

    Thanks for the help.

    • #4 by Matt on 2013-09-03 22:15:32 EST - 2013-09-03T22:15:32+00:00

      Good catch – updated. Thank you!

    • #5 by Brian Hartman on 2013-09-06 21:27:15 EST - 2013-09-06T21:27:15+00:00

      Got it to work. It works great now. Thanks for your help! 🙂

    • #6 by Parker Lumpee on 2014-03-30 19:40:46 EST - 2014-03-30T19:40:46+00:00

      This did it for me, working perfect now. Thanks to you and the OP.

  3. #7 by Forrest Sweasy on 2013-09-10 20:45:18 EST - 2013-09-10T20:45:18+00:00

    I got the chromecast working from my android devices, but this solution did not work for me. It’s getting late and my mind is a bit fuzzy. I’ll try again tomorrow.

  4. #8 by tc3driver on 2013-09-11 03:23:41 EST - 2013-09-11T03:23:41+00:00

    Thank you good sir…. I was running out of Ideas…

  5. #9 by Yash on 2013-10-12 05:45:08 EST - 2013-10-12T05:45:08+00:00

    Thanks very much for this. I had almost given up on getting it to work with my Fedora laptop.

  6. #10 by Joel on 2013-10-21 01:36:55 EST - 2013-10-21T01:36:55+00:00

    I would hug you if I could. This has been bugging me forever…

  7. #11 by Andrew Stiegmann on 2013-10-31 01:31:33 EST - 2013-10-31T01:31:33+00:00

    Excellent post. Also of note you can use the zone features of firewalld so that you only open this up inside your home. I ran the following command

    firewall-cmd –permanent –zone=home –add-port=”32768-61000/udp”

    And then configured my home wifi to use this firewall zone through NetworkManager.

    • #12 by Matt on 2013-11-02 13:27:37 EST - 2013-11-02T13:27:37+00:00

      Absolutely right, I’m always one for increased security – especially when opening such a wide range of ports! Post updates to note your feedback – thank you!

  8. #13 by Steven Rosenberg on 2013-11-10 16:43:01 EST - 2013-11-10T16:43:01+00:00

    I couldn’t get this to work all the way. The first time I had an SELinux error, so I ran the following:

    # grep sh /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Then I ran this:

    # firewall-cmd –permanent –zone=home –add-port=”32768-61000/udp”

    The terminal hangs on the last command — I don’t get the prompt back.

    Ideas?

    • #14 by Matt on 2013-11-10 16:57:36 EST - 2013-11-10T16:57:36+00:00

      Please try again, without the double-quotes around the range. Not sure where I picked those up from, but I can confirm the behavior you are seeing, and can confirm it works correctly without the quotes.

      I have corrected the post too.

      Thanks for catching this!

  9. #15 by Steven Rosenberg on 2013-11-11 01:42:00 EST - 2013-11-11T01:42:00+00:00

    That worked!

    In this order:

    # grep sh /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp
    # firewall-cmd --permanent --zone=home --add-port=32768-61000/udp
    # firewall-cmd --reload

    Thanks for the help.

  10. #16 by Blake on 2013-11-30 00:55:09 EST - 2013-11-30T00:55:09+00:00

    Thanks Matt, the two “firewall-cmd” commands worked like a charm! Cheers!

  11. #17 by Ronak Mallik (@ronak) on 2014-03-22 19:36:17 EST - 2014-03-22T19:36:17+00:00

    these directions worked for me on rhel-7 beta. thanks!

  12. #18 by Ryan Veca on 2014-03-30 04:00:51 EST - 2014-03-30T04:00:51+00:00

    I’m on Fedora 20, and this did not work for me. I ran “firewall-cmd –permanent –zone=home –add-port=32768-61000/udp” with the reload after. Works from my tablet. Any reason this doesn’t work with 20?

    • #19 by Matt on 2014-03-30 09:10:24 EST - 2014-03-30T09:10:24+00:00

      You may want to check (using the firewalld GUI) that the zone “home” is the right zone.

      • #20 by Ryan Veca on 2014-03-30 13:58:32 EST - 2014-03-30T13:58:32+00:00

        Well home is there, but I’m not sure how I need to set it up. I opened the ports temporarily on public, and it worked. Do I need to add my Chromecast to the home zone somehow?

      • #21 by Matt on 2014-03-30 14:06:08 EST - 2014-03-30T14:06:08+00:00

        Check out the “interfaces” in the “home” zone. You’ll want to make sure your NIC (e.g., eth0, wlan0) belongs to “home”.

        Alternatively, public is fine too – all depends on how you want your firewall security configured. ” public” means all the networks connected to your computer have access, “home” means only the networks connected to the listed interfaces have access. For most people at home, these two models are the same.

      • #22 by Ryan Veca on 2014-03-30 14:19:16 EST - 2014-03-30T14:19:16+00:00

        Well I tried adding my wifi card interface (wlp4s0) to home permanent, but that didn’t work, and now for some reason I can’t remove the interface from there. I also tried opening the ports under public permanent, but that didn’t work. Only seems to work when I open them in runtime public, which resets on reboot, correct? Any ideas?

      • #23 by Matt on 2014-03-30 14:24:04 EST - 2014-03-30T14:24:04+00:00

        Make sure to run the “–reload” for permanent changes to take effect immediately (I.e., that makes the rules you set for permanent application be applied to the current runtime)

      • #24 by Ryan Veca on 2014-03-30 14:53:56 EST - 2014-03-30T14:53:56+00:00

        Still doesn’t work, but I think I figured out why. My card interface is still listed under public runtime, and I think that’s stealing control from home permanent. I’m not able to remove the network card from the public runtime interface, but I am able to move it to home runtime interface, and it works then. Any idea how I can stop public runtime from grabbing my card interface?

      • #25 by Matt on 2014-03-30 15:08:27 EST - 2014-03-30T15:08:27+00:00

        A couple things:
        “Runtime” represents how things are running, right this very moment.
        “Permanent” represents what is stored in the config files. This might not yet have taken effect (that is, become “runtime”), but it will take affect the next time you “reload” the firewarell, or reboot the box.

        So, to make sure your interface stays in the “home” zone, you’ll want to configure that under the “permanent” settings. But, even better — go into “Settings”->”Network”, click the gear icon for your NIC, select the “Identity” option on the left, and change the firewall zone for your NIC to home. That will set this as your permanent zone for the NIC, and will take affect next time you reload, reconnect, or reboot — I’d recommend just rebooting for simplicity.

      • #26 by Ryan Veca on 2014-03-30 15:29:17 EST - 2014-03-30T15:29:17+00:00

        That did it. Thanks very much for all the help. 🙂

  13. #27 by El-Deir on 2014-05-08 19:07:59 EST - 2014-05-08T19:07:59+00:00

    Very goog! greatful!

  14. #28 by mauriciograciag on 2015-08-03 11:47:27 EST - 2015-08-03T11:47:27+00:00

    IMHO

    you need to to include a SUDO to the IPTABLES command

    sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp –dport 32768:61000 -j ACCEPT

    And other improvements for this post are

    Mention the most secure option first
    firewall-cmd –permanent –zone=home –add-port=32768-61000/udp

    and then mention that if after trying this it still does not work then you should try the other commands

    firewall-cmd –permanent –add-port=32768-61000/udp

    If someone added all this new rules and did not work or just wants to reverse them to avoid security issues execute this commands

    firewall-cmd –permanent –remove-port=32768-61000/udp
    firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp
    firewall-cmd –reload

    • #29 by Matt on 2015-08-03 12:07:14 EST - 2015-08-03T12:07:14+00:00

      Hi mauriciograciag, thank you for the great feedback. I have added a short update to address your points.

      • #30 by mauriciograciag on 2015-08-03 13:13:17 EST - 2015-08-03T13:13:17+00:00

        Thanks Matt. How about the chromcast setup tool (that is used for the first time setup o reconfiguration) can that also be installed in Fedora 22 ?

      • #31 by Matt on 2015-08-04 22:02:08 EST - 2015-08-04T22:02:08+00:00

        You know, I’ve always just used the Android app (I don’t think there was any other way back when I ordered mine, part of the first batch) ! If you have any directions, I’d be happy to reference them.

  15. #32 by John Fulton (@fultonj) on 2015-12-29 14:57:27 EST - 2015-12-29T14:57:27+00:00

    Funny when Google brings you to a useful page and then you look up and say “I know that guy”. Thanks Matt. This got my Chormecast working on my RHEL7.2 laptop.

  16. #33 by Hsiao-Ting Wang on 2016-04-13 11:53:45 EST - 2016-04-13T11:53:45+00:00

    This tip save a lot of my time. Thanks a lot!

    However, curious about why this obstacle only happen on CentOS not yet Ubuntu.

    • #34 by Matt on 2016-04-13 13:45:28 EST - 2016-04-13T13:45:28+00:00

      I don’t use Ubuntu very often, but is the firewall enabled by default, and does it block the high numbered ports by default? If it is not enabled, then this does not need to be done.

  1. Google’s $35 Chromecast Might Redefine the Media Player Market | Android MiniPCs and TVBoxes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: