0

I've some issues with TFTP download behind NAT using IPtables and i could really use your help. I'm familiar with networking pricipals, but pretty new to IPtables, so i'm sorry if i'm doing something completly wrong.

I have a server running Ubuntu 20.04 with two nics and which tries to connect to a TFTP-server. While everything else work perfectly okay, i'm getting a timeout, when trying to TFTP. I have a suspicion based on a tcpdump, where i see some icmp trafic which (maybe) is not translated corretly, but i'm not sure..

Topology info

TFTP server: 130.221.69.14:udp\69
MyServer (TFTP-CLIENT) :
eth0 = uplink / 172.25.17.6
eth1 = downlink / 10.14.254.0/24 (Which NAT's to eth0 with config below)


IFACE_WAN=eth0
IFACE_LAN=eth1
NETWORK_LAN=10.14.254.0/24

... iptables config

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o $IFACE_WAN -s $NETWORK_LAN ! -d $NETWORK_LAN -j MASQUERADE
iptables -A FORWARD -d $NETWORK_LAN -i $IFACE_WAN -o $IFACE_LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $NETWORK_LAN -i $IFACE_LAN -j ACCEPT

When doing a tcpdump on eth1/$NETWORK_LAN (BEFORE NAT) i see:

I see no ICMP trafic here.

root@swmgmt:~# tcpdump -i eth1 -n  dst 130.221.69.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:38:34.901901 IP 10.14.254.164.59384 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:38:38.897841 IP 10.14.254.164.59384 > 130.221.69.14.69:  38 RRQ "switch-config/by-    name/switch1" octet
20:38:43.899754 IP 10.14.254.164.59384 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:38:49.903083 IP 10.14.254.164.59384 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:38:56.907874 IP 10.14.254.164.59384 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:39:04.908915 IP 10.14.254.164.59384 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:39:12.909728 IP 10.14.254.164.59384 > 130.221.69.14.69:  23 ERROR EUNDEF "Session terminated"

When doing a tcpdump on eth0/$NETWORK_WAN (AFTER NAT) i see:

I see icmp trafic here?

20:21:31.898048 IP 172.25.17.6.59650 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:21:31.899090 IP 172.25.17.6 > 130.221.69.14: ICMP 172.25.17.6 udp port 59650 unreachable, length 55
20:21:39.024682 IP 172.25.17.6.59650 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:21:39.025524 IP 172.25.17.6 > 130.221.69.14: ICMP 172.25.17.6 udp port 59650 unreachable, length 55
20:21:47.029243 IP 172.25.17.6.59650 > 130.221.69.14.69:  38 RRQ "switch-config/by-name/switch1" octet
20:21:47.030220 IP 172.25.17.6 > 130.221.69.14: ICMP 172.25.17.6 udp port 59650 unreachable, length 55
20:21:55.030448 IP 172.25.17.6.59650 > 130.221.69.14.69:  23 ERROR EUNDEF "Session terminated"

Any help would be appriciated a lot!

Sincerly Tor.

HMH
  • 1

1 Answers1

2

You probably need to load tftp NAT helper as tftp is one of these protocols which don't play nicely with NAT.

Try modprobe nf_nat_tftp.

Note: The above info is from a system using nftables, not iptables. Your mileage may vary. In any case try to find it under /lib/modules/<kernel-version>/kernel/net/ directory, likely in a subdirectory netfilter on top level or under ipv4 or ipv6 directories.

Tomek
  • 3,390
  • 1
  • 16
  • 10