2 files changed, 23 insertions, 0 deletions

diff --git a/changes/allow-local-multicast-in-firewall b/changes/allow-local-multicast-in-firewall
new file mode 100644
index 00000000..160cabb3
--- /dev/null
+++ b/changes/allow-local-multicast-in-firewall
@@ -0,0 +1 @@
+- unblock local multicast IPs from linux firewall, to allow SSDP and Bonjour/mDNS to work.
\ No newline at end of file
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 6d296ecf..f1c5c0c3 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -740,6 +740,11 @@ def firewall_start(args):
     iptables("--insert", BITMASK_CHAIN, "-o", default_device,
              "--jump", "REJECT")
 
+    # log rejected packets to syslog
+    if DEBUG:
+        iptables("--insert", BITMASK_CHAIN, "-o", default_device,
+                 "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
+
     # allow traffic to gateways
     for gateway in gateways:
         ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway,
@@ -750,10 +755,27 @@ def firewall_start(args):
         ip4tables("--insert", BITMASK_CHAIN,
                   "--destination", local_network_ipv4, "-o", default_device,
                   "--jump", "ACCEPT")
+        # allow multicast Simple Service Discovery Protocol
+        ip4tables("--insert", BITMASK_CHAIN,
+                  "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
+                  "-o", default_device, "--jump", "ACCEPT")
+        # allow multicast Bonjour/mDNS
+        ip4tables("--insert", BITMASK_CHAIN,
+                  "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
+                  "-o", default_device, "--jump", "ACCEPT")
     if local_network_ipv6:
         ip6tables("--insert", BITMASK_CHAIN,
                   "--destination", local_network_ipv6, "-o", default_device,
                   "--jump", "ACCEPT")
+        # allow multicast Simple Service Discovery Protocol
+        ip6tables("--insert", BITMASK_CHAIN,
+                  "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
+                  "-o", default_device, "--jump", "ACCEPT")
+        # allow multicast Bonjour/mDNS
+        ip6tables("--insert", BITMASK_CHAIN,
+                  "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
+                  "-o", default_device, "--jump", "ACCEPT")
+
 
     # block DNS requests to anyone but the service provider or localhost
     # when we actually route ipv6, we will need dns rules for it too