Firewall troubleshooting

I must say, I don’t post much here on the forums because 1) You guys are great at answering questions, and 2) OpenSUSE is a pretty rock solid and easy to use distro. However, I do have a question regarding firewalls. I’ve been using linux for a long time, but never had to deal with a firewall. I’ve always just disabled it. In the Windows world, there’s usually a prompt whenever an application tries to access the network in which you can choose to deny the program access or allow it access. Linux is way different (Fedora’s SElinux troubleshooter and openSUSE’s fireall programs)

I have a chromecast right now that is unable to be detected by my Linux computer running openSUSE 13.1. When I disable the firewall, it works fine.

As far as I know, the chromecast just requires, "Enable Multicast, UPnP, & IGMP in your router settings. " So I’m assuming it uses multicast, UPnP, and IGMP. However, I’m not exactly sure how to allow these services in OpenSUSE.

This link is for Ubuntu, but is pretty confusing: How can I use Chromecast - Ask Ubuntu

So I guess I have two questions: One, how can I start troubleshooting stuff like this on my own. How can I see network traffic and see exactly what is getting blocked so I can see if I can unblock it? And two, once I find out what’s getting blocked how do I go into the firewall and allow these items?

On Tue 26 Nov 2013 04:06:02 PM CST, DupermanDave wrote:

I must say, I don’t post much here on the forums because 1) You guys are
great at answering questions, and 2) OpenSUSE is a pretty rock solid and
easy to use distro. However, I do have a question regarding firewalls.
I’ve been using linux for a long time, but never had to deal with a
firewall. I’ve always just disabled it. In the Windows world, there’s
usually a prompt whenever an application tries to access the network in
which you can choose to deny the program access or allow it access.
Linux is way different (Fedora’s SElinux troubleshooter and openSUSE’s
fireall programs)

I have a chromecast right now that is unable to be detected by my Linux
computer running openSUSE 13.1. When I disable the firewall, it works
fine.

As far as I know, the chromecast just requires, "Enable Multicast, UPnP,
& IGMP in your router settings. " So I’m assuming it uses multicast,
UPnP, and IGMP. However, I’m not exactly sure how to allow these
services in OpenSUSE.

This link is for Ubuntu, but is pretty confusing: ‘How can I use
Chromecast - Ask Ubuntu’
(http://askubuntu.com/questions/324236/how-can-i-use-chromecast)

So I guess I have two questions: One, how can I start troubleshooting
stuff like this on my own. How can I see network traffic and see exactly
what is getting blocked so I can see if I can unblock it? And two, once
I find out what’s getting blocked how do I go into the firewall and
allow these items?

Hi
Install wireshark to monitor the network traffic (or use tcpdump if you
like cli).

If you check the file /etc/services it shows the ports and what they
are for, eg ssdp (upnp?) is 1900 udp/tcp to open these in the firewall.

Use YaST Security & Users -> Firewall -> allowed services and click on
the ‘Advanced’ button bottom right and add the port numbers as required.
The other one is probably 5353 udp/tcp.

But you should see the requests in wireshark to narrow it down (turn off
the firewall to observe all the traffic).

–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLED 11 SP3 (x86_64) GNOME 2.28.0 Kernel 3.0.101-0.8-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Wildly guessing this is the part (from the Ubuntu thread) that matters here:

Code:

The browser will send a multicast UDP packet from the local IP and an
ephemeral (random) port to 239.255.255.250 port 1900. The ChromeCast
device will respond with a unicast UDP packet from the ChromeCast device’s
IP and another ephemeral port to the source IP/port of the multicast
packet. Note that this is slightly different than most other UPnP devices,
which will usually respond with a unicast UDP packet from port 1900
instead of an ephemeral port.

Basically the SUSE Linux firewall doesn’t restrict outgoing much, and
since this is mostly about outgoing (from your browser) data the firewall
shouldn’t matter. The trick is that every outgoing packet has a purpose,
and is usually answered by something coming back in; else, your browser
(with any service… FTP, HTTP, Chromecast) would be having a one-way
conversation and you’d get nothing of use in your browser just like in any
human conversation where only one side spews data.

The problem here is that while your browser talks to Chromecast one port,
that device responds back on another port which the Linux firewall sees as
an incoming (not outgoing) connection that is NOT related to an existing
session (the original outgoing packet to Chromecast on another port is not
the same session b/c the port is different, namely 1900 instead of some
high/ephemeral port). As a result he incoming packet is blocked.

With that written, let’s prove it. First, /var/log/firewall is the
default log to check so do so:

Code:

sudo tail -f /var/log/firewall

Watch that while you try to connect to Chromecast and see if you see
responses being blocked. The text may be hard to understand at first, so
feel free to post it back here in Code tags for us to review.

Next, try the iptables command in there to help relax the firewall on
incoming UDP data from high ports:

Code:

sudo iptables -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT

If running that command suddenly fixes your problem then you’re set; next
just make it permanent:

Code:

sudo /sbin/yast firewall

In here go to Allowed Services: Advanced: and in the UDP field put
32768-61000, then save and exit. Try again. Still works? You’re done.
Doesn’t work? Post back our /var/log/firewall stuff.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

I got the output from the firewall.

2013-12-05T15:27:51.257690-08:00 linux-93t9 kernel:  2747.721005] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=74:e5:0b:64:cf:30:d0:e7:82:7b:04:b1:08:00 SRC=192.168.1.119 DST=192.168.1.115 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=50907 DPT=43606 LEN=524 

2013-12-05T15:27:56.582700-08:00 linux-93t9 kernel:  2753.052205] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=74:e5:0b:64:cf:30:d0:e7:82:7b:04:b1:08:00 SRC=192.168.1.119 DST=192.168.1.115 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57414 DPT=56213 LEN=524 

2013-12-05T15:28:16.039661-08:00 linux-93t9 kernel:  2772.532783] SFW2-INext-DROP-DEFLT IN=wlp2s0 OUT= MAC=74:e5:0b:64:cf:30:d0:e7:82:7b:04:b1:08:00 SRC=192.168.1.119 DST=192.168.1.115 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57267 DPT=45592 LEN=524 

I grabbed a few samples as I refreshed youtube pages. 192.168.1.115 is my IP address on the network. 192.168.1.119 appears to be the Chromecast.

I’m guessing “PROTO=UDP” is the protocol, and “SPT=57267” is the port? Or is “DPT=45592” the port? Or are they both ports, but that’s the port range?

On 2013-12-06 00:36, DupermanDave wrote:
> I’m guessing “PROTO=UDP” is the protocol, and “SPT=57267” is the port?
> Or is “DPT=45592” the port? Or are they both ports, but that’s the port
> range?

“Destination PorT” and “Source PorT”

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

Did you allow the ports in the Yast Firewall window as mentioned
previously? Guessing by this that you did not. If you do then the
firewall should stop blocking these unsolicited packets and the
application will hopefully work.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

I didn’t want to run the commands until I had a full understanding of what I was doing. I tried the IPtables command, but IPtables isn’t installed. So rather than install it I just skipped to the next step and tried to open the ports in the firewall configuration. When I added the port range in the advanced settings, I get this message when I go to save it: “Port name 32768-61000 is unknown in your current system.It probably would not work.
Really use this port?”

After I accept the changes anyway there’s still no chromecast functionality.

On 12/6/2013 12:16 AM, DupermanDave wrote:
>
> ab;2605688 Wrote:
>> Did you allow the ports in the Yast Firewall window as mentioned
>> previously? Guessing by this that you did not. If you do then the
>> firewall should stop blocking these unsolicited packets and the
>> application will hopefully work.
>>
>> –
>> Good luck.
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below…
>
> I didn’t want to run the commands until I had a full understanding of
> what I was doing. I tried the IPtables command, but IPtables isn’t
> installed. So rather than install it I just skipped to the next step and
> tried to open the ports in the firewall configuration. When I added the
> port range in the advanced settings, I get this message when I go to
> save it: “Port name 32768-61000 is unknown in your current system.It
> probably would not work.
> Really use this port?”
>
> After I accept the changes anyway there’s still no chromecast
> functionality.
>
>
DupermanDave:
You specify a range of ports with a colon not a hyphen. In this particular case you want to add the UDP ports:

32768:61000

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

And that would be my problem. If you couldn’t tell, it’s my first time working with a Linux firewall (aside from Fedora’s SELinux/SElinux troubleshooter).

That seemed to have worked. Thanks for the assistance. So the key that I was looking for was using the “tail” command to see what the firewall was actively doing and then adjust accordingly.

On 2013-12-06 07:16, DupermanDave wrote:
> I didn’t want to run the commands until I had a full understanding of
> what I was doing. I tried the IPtables command, but IPtables isn’t
> installed.

It is all lowercase.

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

I was only using capital letters for the sake of being a grammar grouch. I was actually typing in “iptables” in the command line. The closest thing I had to iptables being installed was iptables-xml.

Once again, mucho gracias. Troubleshooting the firewall was my main concern. Now I know where to begin with things like games getting blocked.

On 2013-12-06 20:56, DupermanDave wrote:

> I was only using capital letters for the sake of being a grammar grouch.
> I was actually typing in “iptables” in the command line. The closest
> thing I had to iptables being installed was iptables-xml.

Oh, ok. But you see, we are talking computers here. Computers are
precise machines, a one is not the same as an el, even if they look the
same. We humans make that mistake, they don’t. When you talk about
computers, you have to be as precise as they are.

See, if you had said that you could not find the iptables command, I
would have thought something else. If you type it “wrong”, I immediately
pick on that and do not look any further. This exchange and
clarification takes hours, hours you waste at getting an adequate answer.

Please, be precise, do not mislead.

Ok. Look:

> Telcontar:~ # which iptables
> /usr/sbin/iptables
> Telcontar:~ # rpm -qf /usr/sbin/iptables
> iptables-1.4.16.3-4.1.1.x86_64
> Telcontar:~ #
> Telcontar:~ # l /usr/sbin/iptables
> lrwxrwxrwx 1 root root 13 Jun  8 03:54 /usr/sbin/iptables -> xtables-multi*
> Telcontar:~ # l /usr/sbin/xtables-multi
> -rwxr-xr-x 1 root root 87792 Jan 27  2013 /usr/sbin/xtables-multi*
> Telcontar:~ #

See where it is? The iptables command resides in the “/usr/sbin/”
directory, which only root has in his path, and probably needs to be
root to run it, or run those options that modify things.

I’m sure you have it installed, too.

> Once again, mucho gracias. Troubleshooting the firewall was my main
> concern. Now I know where to begin with things like games getting
> blocked.

Welcome

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

Yup. I do have iptables (almost did that IPtables thing again). I just did the whereis command and found it. It was indeed located in /usr/sbin/iptables

Just reporting my success. As root I did:
iptables -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT <Enter>

Then in Yast–>Allowed Services–>Advanced–>UDP field I added 32768:61000 then, hit Next, then, Finish and Chromecast is working for me.

Thank you ab, you are one Wise Penguin.

Just reporting my experience, on a fresh 13.1 install, I only added 32768:61000 to the UDP field in Firewall settings, and I’m able to see and cast to my Chromecasts now (didn’t need to do the iptables command).

Very interesting topic folks, thanks.

I am about to buy a Chromecast device and was wondering if it worked with openSuse. It seems like it does after a bit of fiddling with the firewall.

My expectations are that by using Chromecast I will be able to project whatever is showing in a Chrome tab, upon my 60" HDTV.

Will I be able to do this ?

I had a HELL OF A TIME getting this to work but I finally got it working in OpenSuse 13.2 64 bit.

Run this in Konsole:

sudo iptables -I INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT

Make sure you are connected via WiFi (For some reason an Ethernet cable connection will not work during the initial setup)

Then turn the firewall OFF

Test it out, it should now allow you to cast a tab.

Then turn the firewall back on.

Verify it is still working.

Glad this is functional because I LOVE my Chromecast