ip_conntrack_tftp doesn't seem to work correctly
Harry Hoffman
hhoffman at ip-solutions.net
Sat Dec 18 16:50:03 UTC 2004
Hi All,
Running RHAS-3 and attempting to run tftp server in a non-nat'd environment.
My iptables look similar to this:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Pass all on the loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow already est or rel connex back in
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# TFTP
-A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
# Allow already known connex back in
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
These rules allow me to connect to udp port 69 on the tftp server but
since tftp chooses a random high port to read/write the communication
stops there.
I've tried loading the ip_conntrack_tftp module:
modprobe ip_conntrack_tftp
but this still doesn't allow the transfer of files.
Has anyone seen this? Am I doing something wrong?
Or is the module not designed to work in this manner?
Or is this a bug in the module?
I'd prefer not to allow all udp ports outbound.
TIA,
Harry
More information about the redhat-list
mailing list