4

I have a tftp server which listens on standard UDP port 69. I have added following rule to my iptables to block everything except UDP 69.

-A INPUT -i eth0 -s 192.168.1.0/24 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT                                                    -j   DROP

But with this rule the clients cannot access the tftp server. I have read that tftp is using higher port for the actual transfer (similar to ftp) and that I should use the ip_conntrack_tftp module. 

# zcat /proc/config.gz  | grep -i tftp
CONFIG_NF_CONNTRACK_TFTP=m

I have the module in my kernel, but what else do I need to do?

Martin Vegter
  • 69
  • 66
  • 195
  • 326

2 Answers2

4

  • First of all: You only allow connections to your server with a source ip matching "192.168.1.0/24". Just to be sure: This is a LAN ip, so this will only work, if your server and client are part of the same LAN. In this case you probably have a router as firewall to the internet, so you do not need any iptables configuration.

  • Second: I'd change your first setting to

    -A INPUT -i eth0 -s 192.168.1.0/24 -p udp --dport 69 -m state --state NEW,ESTABLISHED -j ACCEPT

  • However, with the settings given above, you only allow incoming connections on port 69, which means, that you server can't send back any messages (depending on your default filter policy for outgoing connections). To allow the server to answer on port 69, you will need either to have an accepting default policy for outgoing connections

    -P OUTPUT ACCEPT

    or allow answers on port 69:

    -A OUTPUT -i eth0 -p udp --sport 69 -m state --state ESTABLISHED -j ACCEPT

  • In addition, you have to load the kernel modules ip_conntrack and ip_conntrack_tftp for the "higher port connections". (Check whether both have been loaded using lsmod.) To accept the new connections for actual data transfer, use

    -A INPUT --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

Note, that no completely new connections can be established on ports >1024.

staxyz
  • 609
  • 6
  • 15
  • an addition to this, I tried the same thing, did not work. The reason being, my iptable settings had a rule to drop all packets at the end, and APPENDING the rule will not be fruitful, as we would be looking for packets after dropping them. So PREPEND the rules by changing the "-A" at the beggining to "-I "(eye not L). – ArunMKumar Sep 05 '16 at 19:55
2

For TFTP client, the rather simple solution is the add a config in the iptables.

File: /etc/sysconfig/iptables-config

IPTABLES_MODULES="nf_conntrack_netbios_ns ip_conntrack_tftp"
chandank
  • 121
  • 2