PXEBOOT, TFTPD-HPA and Firewall

Question

I have setup a pxeboot which basically works fine. I can run any configured linux image.

Then I have enabled the firewall, released UDP port 69 for TFTP

~# iptables -L |grep tftp
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:tftp
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:tftp

    ~# netstat -tulp|grep tftp
    udp        0      0 0.0.0.0:tftp            0.0.0.0:*                                                                                                                                                                                        15869/in.tftpd
    udp6       0      0 [::]:tftp               [::]:*                                                                                                                                                                                           15869/in.tftpd

    ~# cat /etc/services|grep tftp
    tftp            69/udp

and now I get a timeout when pxeboot is pulling tftp://192.168.0.220/images/pxelinux.0 (rc = 4c126035). Anywhere is ok here for now as there is another firewall running between the pxeserver and the router which blocks everything unwanted from/to WAN

The funny part is that tcpdump shows that the request is incoming on the pxeboot server:

~# tcpdump port 69
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp5s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:00:47.062723 IP 192.168.0.136.1024 > mittelerde.tftp:  47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:47.415412 IP 192.168.0.136.1024 > mittelerde.tftp:  47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:48.184506 IP 192.168.0.136.1024 > mittelerde.tftp:  47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:49.722630 IP 192.168.0.136.1024 > mittelerde.tftp:  47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:52.798136 IP 192.168.0.136.1024 > mittelerde.tftp:  47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0

Once I stop the firewall service pxeboot works fine again. Of course the conntrack module is loaded:

~# lsmod|grep conntrack
nf_conntrack_tftp      16384  0
nf_conntrack_ftp       20480  0
xt_conntrack           16384  4
nf_conntrack_ipv4      16384  20
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_conntrack          131072  9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_conntrack_ftp
libcrc32c              16384  2 nf_conntrack,nf_nat
x_tables               40960  8 xt_conntrack,iptable_filter,xt_multiport,xt_tcpudp,ipt_MASQUERADE,xt_nat,xt_comment,ip_tables

What I am missing here?

score 0 · Answer 1 · answered Nov 29 '19 at 14:19

0

Problem solved. For tftpd-hpa the following UDP ports must be open as well:

1024
49152:49182

answered Nov 29 '19 at 14:19

AlbinoBlacksheep

47
4

PXEBOOT, TFTPD-HPA and Firewall

1 Answers1