2

This may look like a duplicate question but I did my share of searching, but could not find any solution.

I have created a tftp server, this server when accessed from a local tftp client, over a loopback gets and puts the file just fine. When I try to access the server through an external client, The request times out. The connection is established. I can see the connection as connected in the tftp client, no issues there. The File transfer does not start.

The client is connected directly to the HOST via a ethernet cable, I have created a 2 Device LAN. pings work between them.

I initially thought this to be a firewall issue, now I have disabled the firewall, allowed INPUT and OUTPUT on the configured port 69 in the iptables. also udp is allowed on port 69.

I am also Not running multiple instances of the tftpd-hpa server , it is running as a daemon, and netstat -aup has only one tftp server running.

The clients are giving proper requests, I can see them in wireshark, but nothing goes out in response.

and the failure is always a TIMEOUT.

**firewall disabled**
**ports allow connection **
**file transfer fails**
** outgoing tftp request as a client to other tftp servers is alos blocked **

Update2:

I was not really sure about the Firewall thing, as this laptop was issued by my employer and I am skeptical that they wont allow the firewall to be disabled. reading the /var/log/syslog did not give any hints so tried looking at the kernel prints as to whether any kmodules were doing anything fishy, I see these ones.

[10989.915231] FIREWALL: IN=eth1 OUT= MAC=50:7b:9d:f9:44:5d:68:9e:19:99:9e:e4:08:00 SRC=10.42.0.89 DST=10.42.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=255 ID=117 DF PROTO=UDP SPT=2495 DPT=69 LEN=45

The SRC , DESTT , DPT , PROTO the MAC Address all match my tftp client.

I cannot really tell, what is happening here, so if anyone can give me hints to look for some logs or something else, It would be really helpful.

after this I installed gufw to manage the firewall and allowed all incoming and outgoing traffic. I still get timeouts, and this is what I now see on syslog.

Sep  5 16:16:01 arun-TP kernel: [13836.201853] [UFW AUDIT] IN= OUT=eth1 SRC=10.42.0.1 DST=10.42.0.255 LEN=184 TOS=0x00 PREC=0x00 TTL=64 ID=12630 DF PROTO=UDP SPT=17500 DPT=17500 LEN=164 
Sep  5 16:16:01 arun-TP kernel: [13836.201870] [UFW ALLOW] IN= OUT=eth1 SRC=10.42.0.1 DST=10.42.0.255 LEN=184 TOS=0x00 PREC=0x00 TTL=64 ID=12630 DF PROTO=UDP SPT=17500 DPT=17500 LEN=164

This time the DST does not make sense, The client is at 10.42.0.89 and not 10.42.0.255.

Update1:

/etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure  --create  -s"
RUN_DAEMON="YES"

ls -lrt /

drwxr-xr-x   2 tftp nogroup  4096 Sep  5 03:30 tftpboot

netstat -aup

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 *:mdns                  *:*                                 739/avahi-daemon: r
udp        0      0 *:50694                 *:*                                 2514/rpc.mountd 
udp        0      0 *:55107                 *:*                                 2514/rpc.mountd 
udp        0      0 *:nfs                   *:*                                 -               
udp        0      0 *:3471                  *:*                                 8567/dhclient   
udp        0      0 *:56776                 *:*                                 739/avahi-daemon: r
udp        0      0 10.42.0.1:domain        *:*                                 5403/dnsmasq    
udp        0      0 127.0.1.1:domain        *:*                                 3025/dnsmasq    
udp        0      0 *:bootps                *:*                                 5403/dnsmasq    
udp        0      0 *:bootpc                *:*                                 8567/dhclient   
udp        0      0 *:tftp                  *:*                                 4316/in.tftpd  
udp        0      0 *:sunrpc                *:*                                 966/rpcbind     
udp        0      0 *:ipp                   *:*                                 1476/cups-browsed
udp        0      0 *:707                   *:*                                 966/rpcbind     
udp        0      0 *:33526                 *:*                                 2514/rpc.mountd 
udp        0      0 *:49935                 *:*                                 -               
udp        0      0 localhost:796           *:*                                 1044/rpc.statd  
udp        0      0 *:54194                 *:*                                 1044/rpc.statd  
udp        0      0 *:17500                 *:*                                 3785/dropbox    
udp6       0      0 [::]:mdns               [::]:*                              739/avahi-daemon: r
udp6       0      0 [::]:42779              [::]:*                              -               
udp6       0      0 [::]:59279              [::]:*                              1044/rpc.statd  
udp6       0      0 [::]:nfs                [::]:*                              -               
udp6       0      0 [::]:60007              [::]:*                              2514/rpc.mountd 
udp6       0      0 [::]:52311              [::]:*                              2254/BESClient  
udp6       0      0 [::]:11656              [::]:*                              8567/dhclient   
udp6       0      0 [::]:sunrpc             [::]:*                              966/rpcbind     
udp6       0      0 [::]:45289              [::]:*                              739/avahi-daemon: r
udp6       0      0 [::]:57589              [::]:*                              2514/rpc.mountd 
udp6       0      0 [::]:707                [::]:*                              966/rpcbind     
udp6       0      0 [::]:37709              [::]:*                              2514/rpc.mountd

no tftp configuration file in /etc/xinetd.d/

Firewall is disabled. ufw status = inactive

iptables -L -v

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         
    2   656 ACCEPT     udp  --  eth1   any     anywhere             anywhere             udp dpt:bootps
    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere             tcp dpt:bootps
    0     0 ACCEPT     udp  --  eth1   any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere             tcp dpt:domain
36569 3800K ACCEPT     all  --  lo     any     anywhere             anywhere            
30392   20M ACCEPT     tcp  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
 2704  679K ACCEPT     udp  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     254  --  ipsec+ any     anywhere             anywhere            
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:isakmp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:cfengine
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:5900
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:5901
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:12080
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             tcp dpt:auth reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:5656
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpts:5004:5005
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:5004:5005
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:20830
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:20830
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:sip:5062
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpts:sip:5062
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:21100
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2001
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
  689 56460 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp router-advertisement
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
   13   832 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:tproxy
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:1533
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:30000:30005
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpts:bootps:bootpc
    6  1968 DROP       udp  --  any    any     anywhere             anywhere             udp dpts:bootps:bootpc
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ns
    0     0 DROP       udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-dgm
    0     0 DROP       udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 DROP       udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ssn
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpts:tcpmux:ftp-data
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:sunrpc
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpts:snmp:snmp-trap
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:520
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpts:6348:6349
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpts:6345:gnutella-rtr
   75  3256 LOG        tcp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level debug prefix  "FIREWALL: "
 1459  263K LOG        udp  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level debug prefix "FIREWALL: "
 3347  568K DROP       all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:tftp state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:69 state NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    eth1    anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   any     10.42.0.0/24         anywhere            
    0     0 ACCEPT     all  --  eth1   eth1    anywhere             anywhere            
    0     0 REJECT     all  --  any    eth1    anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  eth1   any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 68593 packets, 6962K bytes) pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:69 state NEW,ESTABLISHED
    1    45 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:tftp state NEW,ESTABLISHED

Outgoing tftp requests as a client are also blocked. my IP is 192,168.0.5 tried connecting to 192.168.0.2

tftp 192.168.0.2
tftp> verbose on
Verbose mode on.
tftp> status
Connected to 192.168.0.2.
Mode: netascii Verbose: on Tracing: off Literal: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> put hello
putting hello to 192.168.0.2:hello [netascii]
Transfer timed out.

can there be something wrong with my Router? Is there any settings that I need to take care of, but this problem is there even when I connect the client directly to the server using an ethernet cable. I tired a BeagleBone Black, a MAcbook and my Android Phone as a tftp clients raising request to the server.

Client : 10.42.0.89 (BeagleBlack, at u-boot) Server : 10.42.0.1

I used wireshark to sniff on the ethernet packets now.

ARP:

32  927.886269000   10.42.0.89  Broadcast   ARP 60  Who has 10.42.0.1?  Tell 10.42.0.89
33  927.886320000   50:7b:9d:f9:44:5d   10.42.0.89  ARP 42  10.42.0.1 is at 50:7b:9d:f9:44:5d

after this , I see only this initiating from the client and nothing goes out.

36  932.887008000   10.42.0.89  10.42.0.1   TFTP    79  Read Request, File: hello, Transfer type: octet, timeout\000=5\000, blksize\000=1468\000
ArunMKumar
  • 181
  • 2
  • 2
  • 9

4 Answers4

1

You should run tftpd inside inetd process, as described here, if you insist on running it as a standalone daemon, be sure to change configuration files as described here

Community
  • 1
Anubioz
  • 3,677
  • 18
  • 23
  • already tried both of them, does not work still. The server exists and works fine on a loopback network, but nothing goes out or in from the machine hosting the tftp server. Connections are established to/from remote machines no issues in it, file transfer times out. – ArunMKumar Sep 05 '16 at 08:30
1

When the server tries to send data to the client, the source port from the server is NOT 69...it is random high. If your client has a firewall and you punched a hole to/from UDP 69, TFTP won't work. Suggest trying again with a sniffer on the server, but look at all UDP traffic to the client, not just port 69. See the Wikipedia page for TFTP for more details on the protocol.

Also, Anubioz is giving you good advice in the other answer.

Jeremy Dover
  • 318
  • 1
  • 6
  • you are right, some posts suggested using atftpd for the same. but sadly all in vain. I have my firewall disabled , "ufw status" is inactive so I think that should not be a problem. and cannot fathom why would it do block tftp if it is inactive., as for the client, I tried tftp from uboot, and I think the bootloader would not put any restriction to movement of files as many people have got it working, I have taken your advice on packet sniffing. user wireshark. My server receives ARP and then TFTP requests (many of them) but nothing goes out to the client. – ArunMKumar Sep 05 '16 at 08:35
  • Hey one more thing, When I connect client to the router , then I do not receive any tftp packets, the router may be blocking them. so i connected it directly to my laptop, and marked "ipv4" method to "shared to other computers" on my laptop running ubuntu 14.04. can this be an issue? – ArunMKumar Sep 05 '16 at 08:37
  • Try putting the TFTP allow rules higher up in the INPUT chain (using -I to insert them). Looking at the stats, they are never getting hit, since they come after the deny all rules at the end. – Jeremy Dover Sep 05 '16 at 12:05
1

This part of firewall configuration shows you how all packets will be dropped and then tftp packets will be allowed. 

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         
   . . . 
3347  568K DROP       all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:tftp state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:69 state NEW,ESTABLISHED

Move drop all and logs rules after tftp allow rules.

Mikhail Khirgiy
  • 2,073
  • 11
  • 7
1

I was having the exact same issue attempting to copy a file to a Casa Systems CMTS, and I needed an entry in the Service Management Module (SMM) Access Control List. I originally had an entry allowing TFTP from my TFTP server ip address. When I ran a tcpdump and discovered the response from the server to my router on a random high UDP port, I opened up the ACL on the router to allow any IP traffic from my TFTP server and the session started working.

I know this is an old thread, but just in case someone else runs into this problem, try adding an entry into any control plane ACLs in place permitting all ip your TFTP server.

Joe Joseph
  • 11
  • 1