TFTP works localhost but not global

Question

I have a TFTP server on Centos 7.4. The TFTP server is up and running and works well when trying to access a file, connecting on localhost. However, if I try to access the TFTP server from another server, I get a time out.

The firewall is configured correctly and the port is accessible.

cat /etc/xinetd.d/tftp

service tftp {
        socket_type             = dgram
        protocol                = udp
        port                    = 69
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4 }

cat /etc/xinetd.conf

defaults
{
        log_type        = SYSLOG daemon info
        log_on_failure  = HOST
        log_on_success  = PID HOST DURATION EXIT

        cps             = 50 10
        instances       = 50
        per_source      = 10

        v6only          = no

        groups          = yes
        umask           = 002

}

includedir /etc/xinetd.d

TFTP Access using localhost, from the same machine:

[root@tftp-001 ~]# tftp -v localhost -c get dir.txt
Connected to localhost (::1), port 69
getting from localhost:dir.txt to dir.txt [netascii]
Received 11 bytes in 0.0 seconds [3093 bit/s]

TFTP Access using another computer:

[root@pbx-001 ~]# tftp -v 51.15.xxx.yy -c get dir.txt
Connected to 51.15.xxx.yy (51.15.xxx.yy), port 69
getting from 51.15.xxx.yy:dir.txt to dir.txt [netascii]
Transfer timed out.

tail -F /var/log/messages will show the following line when accessing from localhost but nothing when accessing from another machine.

Oct 21 09:44:55 pbx-001 in.tftpd[11986]: Client ::1 finished dir.txt

I tried to run a port scan from the other machine and it seems that the port is accessible and open:

[root@pbx-001 ~]# nmap -sU -p 69 51.15.XXX.YY

Starting Nmap 6.40 ( http://nmap.org ) at 2017-10-21 09:47 UTC
Nmap scan report for ZZZZZZZZZZZZZZZZZZZZZZZZ (51.15.XXX.YY)
Host is up (0.00068s latency).
PORT   STATE         SERVICE
69/udp open|filtered tftp

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

I also tried to turn off firewalld but I still have this issue.

I need the TFTP server to be accessible by any computer outside of the network to setup a few hundred CISCO phones across different countries and offices.

I can connect to SSH, HTTP, etc. on the machine it's not a problem, it's really just a TFTP issue.

EDIT 1: The output of iptables -L -n -v is: [root@tftp-001 ~]# iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
13425 5433K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  249 14891 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  351 19544 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  351 19544 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  351 19544 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    3   117 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  221 12353 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 14168 packets, 1284K bytes)
 pkts bytes target     prot opt in     out     source               destination
14168 1284K OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDI_public (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDO_public (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination
  351 19544 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_public (1 references)
 pkts bytes target     prot opt in     out     source               destination
  351 19544 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  351 19544 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  351 19544 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   48  2953 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination
   77  4004 ACCEPT     tcp  --  *      *       [MY_HOME_IP]         0.0.0.0/0            tcp dpt:80 ctstate NEW
    2   117 ACCEPT     tcp  --  *      *       [MY_HOME_IP]         0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       [MY_HOME_IP]         0.0.0.0/0            udp dpt:69 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination
[root@tftp-001 ~]#

* EDIT 2 * I use 'firewall-cmd' as a GUI and this is the output of firewall-cmd --zone=public --list-all:

[root@tftp-001 ~]# firewall-cmd --zone=public --list-all

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="[MY_HOME_IP]" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="[MY_HOME_IP]" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="[MY_HOME_IP]" port port="69" protocol="udp" accept

Can we see the output of `iptables -L -n -v`? Cut-and-paste it into your answer, and ensure the formatting is preserved. — MadHatter, Oct 21 '17 at 11:25
@MadHatter that was added, but I'm not familiar with iptables, I usually use UFW on Ubuntu, this is a Centos setup — user440625, Oct 21 '17 at 12:02

MadHatter · Answer 1 · 2017-10-21T15:51:26.967

2

At the moment, your firewall rules allow TFTP (UDP port 69) connections from the server itself (loopback, via INPUT rule 2) and from 79.137.39.26 ( via IN_public_allow rule 3). You don't give the IP address of the client you're trying from, but ceteris paribus there's only a one in four billion chance it's that IP (and given the packet counts on that rule are zero, it might be even less than that).

Try adding a rule to permit all TFTP traffic, such as

iptables -I INPUT 1 -p udp --dport 69 -j ACCEPT

and see if that helps any.

edited Oct 21 '17 at 15:51

answered Oct 21 '17 at 13:19

MadHatter

78,442
20
178
229

The IP you mentioned is my test VPN so I actually was within it. I added the command you gave me but it didn't change anything. I'm also using firewall-cmd as a GUI for iptables. firewall-cmd --list-all output is now in the initial post – user440625 Oct 21 '17 at 15:16
@user440625 OK, I don't want to get lost in that maze of little firewall rules, so I've changed it to a brute-force option to permit tftp traffic. If this rule doesn't do it, it's not the firewall. – MadHatter Oct 21 '17 at 15:52
@MattHatter OK I changed it as well on the server, but still I get times out... – user440625 Oct 21 '17 at 16:17
Just rebooted the server and still have the same problem – user440625 Oct 21 '17 at 16:23
"*I changed it as well on the server*" sorry, what? You changed what as well on the server? – MadHatter Oct 21 '17 at 20:27
I've changed the iptables command you mention in your command -- it used to be a different one before you edited it, so I edited my iptables as well – user440625 Oct 21 '17 at 20:50
I see what you mean, but rebooting it will have removed the change. Can you confirm that (a) after rebooting, you have run the command on the server as currently shown above, (b) it has made no difference to tftp, and that (c) you aren't doing anything else network-funky, like your test client accessing the server over a VPN, or through some kind of udp-sceptical firewall? – MadHatter Oct 22 '17 at 07:16

score 0 · Answer 2 · answered Jul 10 '19 at 14:08

0

For future readers: this may actually be related to the clients having a stateful firewall blocking the responses from the tftp server. The firewall won't see the responses as established or related connections, and therefore drop/block.

answered Jul 10 '19 at 14:08

hugo

1

score 0 · Answer 3 · answered Jan 09 '20 at 10:43

I ran into this issue on CentOS 7.7 as well.

But the problem itself doesn't seem (to my knowledge) to be CentOS related.

The issue surfaced when RHEL tftp-server 5.2-22 was released. Reverting to 5.2-13 fixed the issue.

For anyone else, to downgrade, use:

yum erase tftp*
rpm -ivh ftp://ftp.pbone.net/mirror/ftp.scientificlinux.org/linux/scientific/7.3/x86_64/os/Packages/tftp-server-5.2-13.el7.x86_64.rpm

score -1 · Answer 4 · answered Oct 21 '17 at 15:20

-1

What are the ownership and permissions for directory and file?

Try using “chmod 777” on the directory to see if a permissions issue.

answered Oct 21 '17 at 15:20

Kev

74
8

It was chmod'ed already to 777 – user440625 Oct 21 '17 at 15:38

TFTP works localhost but not global

4 Answers4