Ask Your Question

Default iptables has UDP Multicast disabled

asked 2012-12-20 16:18:04 -0500

jonls gravatar image

updated 2012-12-24 07:38:56 -0500

I have been trying to figure out how to program a UDP Multicast server, but no matter what I did I could not make it work, until I tried disabling iptables and suddenly everything works fine. So my question is, why is this disabled by default (I have never touched iptables)? And how do I insert a rule to make it work?

Output of iptables -L looks like this. I suppose there should be a rule in the INPUT table (before REJECT) to accept udp multicast packets.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             state NEW udp dpt:mdns
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted

answered 2013-05-12 04:54:50 -0500

Blaker gravatar image

I was having trouble trying to get the Python Twisted library UDP Multicast example (link: h t t p:// to work on localhost.

To get UDP multicasting to work, you need to add the port to your firewall and note it as type UDP. For the default Fedora 18 installation, this means you need to execute:

$ sudo firewall-cmd --add-port=12345/udp

To make this change permanent across firewalld and/or system reboots:

$ sudo firewall-cmd --permanent --add-port=12345/udp

Note that the above commands are for port 12345.

Source: h t t p s://

edit flag offensive delete link more


For those of you that are running iptables, but not firewalld, this is the correct rule to add; tables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT

xconspirisist gravatar imagexconspirisist ( 2013-07-21 04:59:19 -0500 )edit

answered 2013-01-01 14:20:24 -0500

Firewalls should be secure by default. The most secure firewall is one that does not allow any traffic in any direction, and any allowances must be considered.

Allowing ssh traffic by default is essential for remotely administered systems, for machines with display problems, and access is further secured by sshd . An allowance for this seems obvious.

Outbound traffic is presumed trusted by default. This isn't very strict, really, but doing it this way saves the user a lot of trouble, and most people don't require restricted outbound traffic. Similarly, responses to outbound requests are allowed in.

ICMP traffic also seems like an obvious exception. Pinging a machine is a basic, routine way to see if it is alive and responsive.

Every other exception must be considered on a case by case basis. It is frustrating, at first, to learn basic firewall administration, but the effort involved is much less than what we would expend to maintain vulnerable systems.

Let's take a look at your use case, compared to a mythical 'average user' :

  • User that wants to hand code their own UDP multicast server, but doesn't want to learn basic firewall administration.
  • User that is using $NETWORKAPPLICATION and believes that the firewall should accommodate their specific use case, by default.
  • User that wants a system that is secure by default, protected against known and unknown vulnerabilities.

A default policy for everyone cannot accommodate everyone's use case and still be secure. The policy must be either allow by default, or deny by default with exceptions. Fedora's policy is to accommodate the most common use case - users that don't need firewall exceptions - while still keeping them secure.

edit flag offensive delete link more

answered 2012-12-31 11:33:25 -0500

wholevin gravatar image

Pretty sure this will do it:

sudo iptables -A INPUT -p udp --dport YOUR_PORT

where your port is the port your multicast server is listening on.

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2012-12-20 16:18:04 -0500

Seen: 14,454 times

Last updated: May 12 '13