How to allow a Google Chromecast in your host firewall?

TL;DR:

Provided you've allowed 'established' traffic.

export CHROMECAST_IP=10.1.2.3 # Adjust to the Chromecast IP in your local network
iptables -A INPUT -s ${CHROMECAST_IP}/32 -p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000 -m comment --comment "Allow Chromecast UDP data (inbound)" -j ACCEPT
iptables -A OUTPUT -d ${CHROMECAST_IP}/32 -p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000 -m comment --comment "Allow Chromecast UDP data (outbound)" -j ACCEPT
iptables -A OUTPUT -d ${CHROMECAST_IP}/32 -p tcp -m multiport --dports 8008:8009 -m comment --comment "Allow Chromecast TCP data (outbound)" -j ACCEPT
iptables -A OUTPUT -d 239.255.255.250/32 -p udp --dport 1900 -m comment --comment "Allow Chromecast SSDP" -j ACCEPT

When do you need this?

Well, I really like to tighten my hosts' firewall configuration very strict, not just on my routers, but also on the clients/workstations. For instance, on my laptop I like to have all firewall chains to have a DROP policy. E.g.:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then I'll be making the regular exemptions in my firewall for whatever doesn't work anymore. For example, I'll see my DHCP is blocked, then my DNS requests, then HTTP, etc., and at some point I came to using the Chromecast from Chrome.

Finding the right firewall exemptions

At the point I noticed I couldn't access my Chromecast with this firewall policy, I found out using tcpdump and Wireshark that it was quite complicated, using mDNS, some other multicast UDP, random high UDP ports, TCP ports 8008 and 8009, etc.

With the help of some extra googling I stumbled upon a document from Cisco: Chromecast Deployment Guide, Release 7.6. While it was quite useful, it was a lot of bla bla and also about wireless network tweaking which I wasn't really interested in.

To cut to the chase, here's what you need:

• Allow high UDP ports both incoming and outgoing.
  "High ports" are the local ports usually ranging 32768-61000 on most Linux systems.

• Allow both TCP ports 8008 and 8009 outbound to the Chromecast device.
  I've noticed most reference only use 8008, but that didn't do it for me and saw outbound connection to port 8009 being blocked.

• Allow the special SSDP packets outbound (which is UDP traffic to the multicast IP 239.255.255.250, destination port 1900).
  As far as I understand, a Chromecast app should send information over SSDP if it wants to discover the Chromecasts in the network. The Chromecast should then reply to the source IP it was given.

• In the INPUT chain, allow ESTABLISHED traffic.
  This is very common to have in your firewall, usually even together with RELATED, e.g.:

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  

Share on: Twitter ❄ Hacker News ❄ Facebook ❄ LinkedIn ❄ Reddit ❄ Email