Linux firewall settings for Apple Airplay (Shairport / Shairtunes / Shairplay)

VS. 


The following has taken me an eternity to figure out. I use Airplay from a Linux server to Apple and other airplay devices on my network. Configuring the firewall properly for this to work has not been simple - many guides are vague and lack the specifics needed.

My actual configuration centres around Logitech's squeezeboxserver now known as logitechmediaserver 'LMS' whereby I use the following plugins:

AirPlay bridge - this enables Airplay devices to be used as if they were squeezebox devices, i.e. I can play my LMS stored music / radio / spotify on any of my Airplay devices

ShairTunes2 - this enables Squeezebox devices to be Airplayed to, i.e. I can Airplay from my iPhone/iPad/Mac etc. to any of my LMS squeezebox devices. This is an incarnation of shairplay / shairport .

For along time I have had to disable my firewall to enable my LMS device to connect to my Airplay devices and for music to flow. Once the connection is established I had to then re-enable my firewall - which is not ideal and very cumbersome. Whilst the Airplay devices always showed up in LMS and LMS client the music would just not stream. 

Here's how to configure a linux firewall with UFW to enable Airplay:



1. First avahi / mdns needs to be allowed through the firewall, this allows the Airplay devices to be advertised on the network:

ufw allow 5353/tcp

2. Configure the ports to enable Airplay to stream. This is not so simple as Airplay uses a dynamically assigned port on the server to stream from, so you cannot just open this port as it always changes. Matters are further complicated since linux by standard has no application level firewall - making it impossible to allow and whitelist the shairtunes 'shairport' application. 

Solution - from watching a packet sniffer it seems that the Airplay protocol commonly uses port 5000:5005 TCP to setup an Airplay connection. Typically Airplay uses 5000 but if there are other instances or issues locking the port it seems to try a higher port - so I allow 5 ports.

Once the connection is established by TCP, Airplay then uses UDP to stream the audio to destination ports in the range of 6000:6005 on the target device. To avoid the dynamic port issue on the server side I take the reverse approach - allowing in any packets that originate from ports 6000:6005 within my network and allowing out any packets to go out to destination 6000:6005 within my network.

This is a little more vulnerable than just opening a specific server port, as a result I restrict this to within my LAN by using 192.168.1.0/24 ** you should change this  ** to match your LAN IP range.

TCP settings

sudo ufw allow in from 192.168.1.0/24 port 5000:5005 proto tcp to any

sudo ufw allow out from any to 192.168.1.0/24 port 5000:5005 proto tcp

UDP settings


sudo ufw allow in from 192.168.1.0/24 port 6000:6005 proto udp to any

sudo ufw allow out from any to 192.168.1.0/24 port 6000:6005 proto udp

Et voila, done. This has literally taken me years to figure out - I should have opened up my packet sniffer sooner!! Hope this helps you.




No comments:

Post a Comment