[LUNI] Punching tftp through iptables
Demetri Mouratis
dmourati at cm.math.uiuc.edu
Thu Apr 29 23:08:45 CDT 2004
On Thu, 29 Apr 2004, David Horton wrote:
> Hi,
>
> I am trying to allow connections to a tftp server on a Redhat box that
> is protected with iptables. I have configured Redhat's lokkit to make
> an exception for tftp:udp, but it does not seem to work properly.
>
> I can disable iptables entirely and tftp to my heart's content. But,
> when iptables is enabled, even with the exception, the tftp client only
> receives one packet worth of data and then times out.
>
> Using netstat seems to show that the tftp server replies by transfering
> the first packet on port 69 (tftp) while further communication happens
> on a higher numbered port. This explains while only one packet gets
> through, but I don't know enough about configuring iptables to fix the
> problem.
You may need to load this module:
--
TFTP protocol support
CONFIG_IP_NF_TFTP
TFTP connection tracking helper, this is required depending
on how restrictive your ruleset is.
If you are using a tftp client behind -j SNAT or -j MASQUERADING
you will need this.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `Y'.
--
Also see this:
http://www.stearns.org/pomlist/20030101-output/pom-oldnat.html
--
Author: Magnus Boden <mb at ozaba.mine.nu>
TFTP connections will not work with NAT and this module makes
that work.
modprobe ip_conntrack_tftp ports=69,70 has the effect of
helping tftp connections on port 69 and 70.
If the ports argument is not supplied to modprobe it defaults
to 69.
If you have trouble please drop me a mail and I will help you.
--
And here I thought port 70 was for gopher.
Good luck.
---------------------------------------------------------------------
Demetri Mouratis
dmourati at linfactory.com
More information about the luni
mailing list