Iptables – TFTP: transfer time out on RHEL 6 server

iptableslinux-networkingredhattftp

I am hitting a wall here trying to get tftp to work using RHEL 6 as a server. The error, from the client, is simply "transfer timed out". On the server, I can see udp 69 traffic coming in from my client but I do not see any packets returning to the client. In the logs I can see xinetd is processing the request. On the server I am running tftp version:

tftp-server-0.49-8.el6.x86_64

Here is the command I run from the client. 

tftp -v 192.168.100.10 -c get file

Tcpdump server side:

13:54:02.136438 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
192.168.100.11.37126 > 192.168.100.10.tftp: [udp sum ok]  21 RRQ "file" netascii

And this repeats over and over until the transfer times out. Here is my logfile:

Jul 26 13:54:22 server in.tftpd[7068]: RRQ from 192.168.100.11 filename file

And this also repeats over and over until the transfer times out. My config:

service tftp
{
    disable = no
    socket_type             = dgram
    protocol                = udp
    wait                    = yes
    user                    = root
    server                  = /usr/sbin/in.tftpd
    server_args             = -v -v -v -s /var/lib/tftpboot
    per_source              = 11
    cps                     = 100 2
    flags                   = IPv4
}

Iptables rule is at the top:

[root@server tftpboot]# iptables -L --line-numbers | grep tftp
1    ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:tftp

Kernel modules are loaded:

[root@server tftpboot]# lsmod | grep tftp
nf_conntrack_tftp       4814  0 
nf_conntrack           79537  4     nf_conntrack_tftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

SELinux is permissive:

[root@server tftpboot]# getenforce 
Permissive

I have allowed all in hosts.allow:

xinetd : ALL

And I know the service is listening:

[root@server tftpboot]# lsof -i :69
COMMAND    PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
in.tftpd  7023 root    0u  IPv4 11763412      0t0  UDP *:tftp 
xinetd   32761 root    5u  IPv4 11763412      0t0  UDP *:tftp 
[root@server tftpboot]# netstat -anp | grep ":69"
udp        0      0 0.0.0.0:69                  0.0.0.0:*                                7023/in.tftpd

world has RX on the tftpboot dir:

[root@server lib]# ll | grep tftp*
drwxr-xr-x.  2 root      root     4096 Jul 26 12:17 tftpboot

And world has read on the files inside. Other things I have tried.

1) Using tcp instead of udp = FAIL

2) Moving the tftp root directory = FAIL

3) And as you can see I already have verbose logging turned on for tftp

4) Changing the user in the config = FAIL

I am at a loss at this point. Has anyone run into this problem before?

UPDATE: Here is my full iptables config:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:136]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED -  j ACCEPT
-A INPUT -j DROP
COMMIT

Also, I have disables iptables and still get the same transfer timed out message.

UPDATE#2 – I have also added the following into iptables but iptables is not happy. 

-A INPUT --sport 1024: --dport 1024: -m state --state ESTABLISHED -j   ACCEPT
-A OUTPUT --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

Error:

iptables: Applying firewall rules: iptables-restore v1.4.7: unknown option `--sport'

UPDATE #3

Not that this may help, but I was curious to see if in fact I saw related packets coming and and leaving the firewall. Here is a snapshot of the two rules I inserted to allow both 69 to and from the client as well as the ports needed for the data transfer.

Before transfer started:

 5      245 ACCEPT     udp  --  *      *       192.168.10.11         0.0.0.0/0           udp dpt:69 state NEW,ESTABLISHED 
   0        0 ACCEPT     udp  --  *      *       192.168.10.11         0.0.0.0/0           udp spts:1024:65535 dpts:1024:65535 state   ESTABLISHED 
--
   0        0 ACCEPT     udp  --  *      *       0.0.0.0/0             192.168.10.11      udp spt:69 state ESTABLISHED 
  30      960 ACCEPT     udp  --  *      *       0.0.0.0/0             192.168.10.11      udp spts:1024:65535 dpts:1024:65535 state  RELATED,ESTABLISHED

After transfer attempt:

   10      490 ACCEPT     udp  --  *      *       192.168.10.11        0.0.0.0/0           udp dpt:69 state NEW,ESTABLISHED 
    0        0 ACCEPT     udp  --  *      *       192.168.10.11            0.0.0.0/0           udp spts:1024:65535 dpts:1024:65535 state      ESTABLISHED 
 --
   0        0 ACCEPT     udp  --  *      *       0.0.0.0/0             192.168.10.11      udp spt:69 state ESTABLISHED 
   58     1856 ACCEPT     udp  --  *      *       0.0.0.0/0             192.168.10.11      udp spts:1024:65535 dpts:1024:65535 state  RELATED,ESTABLISHED

So this tells me its not the firewall and if I don't see return packets with tcpdump its something in between, perhaps maybe the application itself.

Best Answer

Since you're using the state module in your iptables configuration to only allow NEW connections on the tftp port and you only posted an excerpt from your firewall config:

1 ACCEPT udp -- anywhere anywherestate NEWudp dpt:tftp

is that rule in the INPUT chain and is there also a generic -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT rule? (If so, that rule should probably be the first rule in your INPUT chain.)

Because although the UDP protocol itself is stateless the conntrack modules still seem to maintain some state information for UDP and you might have a case where the first UDP packet is accepted and every subsequent packet is regarded as either part of an "established" or "related" session rather than "new" and rejected.

Related Topic