The extension starts by issuing an SSDP request from a local ephemeral UDP port to 18.104.22.168 port 1900. The Chromecast will respond from its IP and another ephemeral UDP port, back to your source UDP port.
IPTables cannot track this simply as “RELATED”, given that the target of the first packet is the multicast address, while the source of the response packet is the Chromecast’s IP. And unfortunately, there is no SSDP conntrack module (at least, not that I am aware of, at the time of writing this post).
Therefore, the best we can do for now is to open the ephemeral port range on the client machine. The list of ephemeral ports, as defined by your Linux machine, can be found by:
Fedora19 uses firewalld, so you will want to use the following:
firewall-cmd --permanent --add-port=32768-61000/udp firewall-cmd --reload
Given the wide range of ports being opened, you may want to restrict access to just your local network. Consider using Network Manager to associate your NIC (eth0,wlan0, whatever) with your “home” zone, and use the following command instead of the above:
firewall-cmd --permanent --zone=home --add-port=32768-61000/udp
On non-firewalld systems, use this IPTables one-liner (modifying 192.168.0.0/24 as appropriate for your home network):
iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT
Launch Chrome, click the Cast extensions, and it should now “Just Work”. And if it doesn’t …. please let me know in the comments on this post.
UPDATE 20150803 – A few additional notes inspired by the great comment from mauriciograciag:
Note the use of the “–zone=home” parameter in the second firewall-cmd example above. This can be a more secure option, but does require ensuring that you have a zone named “home”, and that Network Manager associates your active network profile with this zone. If the Network Manager configuration is in place, I do recommend using that option for those working from systems (laptops) that might also find themselves on alternate networks. However, for desktops that will not be connected to other networks, use of a zone will likely not add any tangible benefits.
If you set these rules via firewall-cmd and wish to revert them, the following should do the trick:
firewall-cmd –permanent –remove-port=32768-61000/udp firewall-cmd –permanent –zone=home –remove-port=32768-61000/udp firewall-cmd –reload
And lastly, note that the iptables rule must be run as root. Typically, this will be done by updating the iptables startup configuration for your favorite Linux distribution (e.g., you may need to add that line to /etc/iptables); but you might also want to run this a single time, non-persistently, from the command line. If you have configured sudo appropriately on your Linux systems, preceding the iptables command with “sudo” would work as follows:
sudo iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 32768:61000 -j ACCEPT