TFTP from another subnet

sd_read · #1 (**permalink**) 03-Sep-2008, 19:24

I have an embedded blackfin Linux board (Blackfin Forum) which I can download an image by TFTP from my Suse 10.1 server when everything is on the same subnet (192.168.0.1).

However I want to put this board on a DMZ zone which is on subnet 192.168.1.1.

I have set up the blackfin board as follows:

serverip 192.168.0.3 (this is the IP of my Suse server)
gatewayip 192.168.1.1 (card in smoothwall router)
ipaddr 192.168.1.2

The router providing the DMZ is by Welcome to Express 3.0! - SmoothWall.org and I have it programmed to forward the TFTP request to the server.

I see the request come into the server but it is ignored and the log files say something about being an orphan request?

Some of these details I have forgotten as I have worked on this off and on again over the last six months.

I realize that Suse (IP 192.168.0.3) is getting this TFTP request from a different subnet (IP 192.168.1.2) and is dropping it.

I am also running the firewall on Suse (although it would not work even with the firewall off).

My question is, how do I set up the firewall to accept this blackfin request and load the TFTP image?

To me this is a very basic question that is done all the time but I cannot figure out how to do it? I find the YaST settings confusing and searching on the web over the months has not cleared up the confusion.

I appreciate any help I can get.

Sincerely,

Steve

ken_yap · #2 (**permalink**) 03-Sep-2008, 19:40

TFTP is a UDP. I think the port forwarding in Smoothwall (and similar routers) is designed to cater for TCP. You may have to write a couple of custom rules to add to Smoothwall. Can you dump the Smoothwall rules and locate the fowarding rule you put in to see if it specifies TCP or UDP?

sd_read · #3 (**permalink**) 08-Sep-2008, 17:48

Hi Ken;

Sorry I am slow getting back but things have been busy.

I know how to shell into Smoothwall but can you tell me how to dump the Smoothwall rules?

Thank you- Steve

ken_yap · #4 (**permalink**) 08-Sep-2008, 19:33

Code:

iptables -L

normally but as port forwarding rules are in the nat table:

Code:

iptables -t nat -L

sd_read · #5 (**permalink**) 09-Sep-2008, 18:53

iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ipblock    0    --  anywhere             anywhere            
ipblock    0    --  anywhere             anywhere            
ipblock    0    --  anywhere             anywhere            
advnet     0    --  anywhere             anywhere            
advnet     0    --  anywhere             anywhere            
advnet     0    --  anywhere             anywhere            
spoof      0    --  anywhere             anywhere            
spoof      0    --  anywhere             anywhere            
spoof      0    --  anywhere             anywhere            
timedaccess  0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            
secin      0    --  anywhere             anywhere            
block      0    --  anywhere             anywhere            
LOG        0    --  anywhere             anywhere            LOG level warning 
REJECT     0    --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ipblock    0    --  anywhere             anywhere            
ipblock    0    --  anywhere             anywhere            
ipblock    0    --  anywhere             anywhere            
secout     0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
outbound   0    --  anywhere             anywhere            state NEW 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
outbound   0    --  anywhere             anywhere            state NEW 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
outbound   0    --  anywhere             anywhere            state NEW 
portfwf    0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
dmzholes   0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            
MINIUPNPD  0    --  anywhere             anywhere            
MINIUPNPD  0    --  anywhere             anywhere            
MINIUPNPD  0    --  anywhere             anywhere            
LOG        0    --  anywhere             anywhere            LOG level warning 
REJECT     0    --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain MINIUPNPD (3 references)
target     prot opt source               destination         

Chain advnet (3 references)
target     prot opt source               destination         

Chain allows (1 references)
target     prot opt source               destination         

Chain badtraffic (1 references)
target     prot opt source               destination         

Chain block (1 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            
xtaccess   0    --  anywhere             anywhere            
ipsec      0    --  anywhere             anywhere            
ipsec      0    --  anywhere             anywhere            
ipsec      0    --  anywhere             anywhere            
siprtpports  0    --  anywhere             anywhere            
siprtpports  0    --  anywhere             anywhere            
siprtpports  0    --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
badtraffic  0    --  anywhere             anywhere            

Chain dmzholes (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.1.2          192.168.0.3         state NEW tcp dpt:tftp 
ACCEPT     udp  --  192.168.1.2          192.168.0.3         state NEW udp dpt:tftp 

Chain ipblock (6 references)
target     prot opt source               destination         

Chain ipsec (3 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            

Chain outbound (3 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            
timedaccess  0    --  anywhere             anywhere            
allows     0    --  anywhere             anywhere            
outgreen   0    --  anywhere             anywhere            
outorange  0    --  anywhere             anywhere            

Chain outgreen (1 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            

Chain outorange (1 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            

Chain outpurple (0 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            

Chain portfwf (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.1.2         state NEW tcp dpt:http 

Chain secin (1 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            

Chain secout (1 references)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            

Chain siprtpports (3 references)
target     prot opt source               destination         

Chain spoof (3 references)
target     prot opt source               destination         
DROP       0    --  192.168.0.0/24       anywhere            
DROP       0    --  192.168.1.0/24       anywhere            

Chain timedaccess (2 references)
target     prot opt source               destination         

Chain timedaction (0 references)
target     prot opt source               destination         
RETURN     0    --  anywhere             anywhere            

Chain xtaccess (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ident 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ident

sd_read · #6 (**permalink**) 09-Sep-2008, 18:55

iptables -t nat -L

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
portfw     0    --  anywhere             anywhere            
jmpsquid   0    --  anywhere             anywhere            
jmpim      0    --  anywhere             anywhere            
jmpp3scan  0    --  anywhere             anywhere            
jmpsip     0    --  anywhere             anywhere            
MINIUPNPD  0    --  anywhere             anywhere            
MINIUPNPD  0    --  anywhere             anywhere            
MINIUPNPD  0    --  anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  0    --  anywhere             anywhere            
MASQUERADE  0    --  anywhere             anywhere            
MASQUERADE  0    --  anywhere             anywhere            
SNAT       0    --  anywhere             anywhere            MARK match 0x1 to:192.168.0.99 
SNAT       0    --  anywhere             anywhere            MARK match 0x2 to:192.168.1.1 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain MINIUPNPD (3 references)
target     prot opt source               destination         

Chain im (1 references)
target     prot opt source               destination         

Chain jmpim (1 references)
target     prot opt source               destination         
RETURN     0    --  anywhere             10.0.0.0/8          
RETURN     0    --  anywhere             172.16.0.0/12       
RETURN     0    --  anywhere             192.168.0.0/16      
RETURN     0    --  anywhere             169.254.0.0/16      
im         0    --  anywhere             anywhere            

Chain jmpp3scan (1 references)
target     prot opt source               destination         
RETURN     0    --  anywhere             10.0.0.0/8          
RETURN     0    --  anywhere             172.16.0.0/12       
RETURN     0    --  anywhere             192.168.0.0/16      
RETURN     0    --  anywhere             169.254.0.0/16      
p3scan     0    --  anywhere             anywhere            

Chain jmpsip (1 references)
target     prot opt source               destination         
RETURN     0    --  anywhere             10.0.0.0/8          
RETURN     0    --  anywhere             172.16.0.0/12       
RETURN     0    --  anywhere             192.168.0.0/16      
RETURN     0    --  anywhere             169.254.0.0/16      
sip        0    --  anywhere             anywhere            

Chain jmpsquid (1 references)
target     prot opt source               destination         
RETURN     0    --  anywhere             10.0.0.0/8          
RETURN     0    --  anywhere             172.16.0.0/12       
RETURN     0    --  anywhere             192.168.0.0/16      
RETURN     0    --  anywhere             169.254.0.0/16      
squid      0    --  anywhere             anywhere            

Chain p3scan (1 references)
target     prot opt source               destination         

Chain portfw (1 references)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             i209-195-73-121.cia.com tcp dpt:http to:192.168.1.2:80 

Chain sip (1 references)
target     prot opt source               destination         

Chain squid (1 references)
target     prot opt source               destination

ken_yap · #7 (**permalink**) 09-Sep-2008, 19:59

The only thing you've got port forwarded is HTTP. Try setting up a forward for TFTP which is UDP port 69.

sd_read · #8 (**permalink**) 10-Sep-2008, 18:55

Hi Ken;

I have a very hard time understanding iptables and in this case I am setting them up through the smoothwall web interface (this is how it is meant to be used).

Using the Smoothwall lingo, I believe I have set up "pinholes" from the DMZ network card to my internal card and looking at iptables.txt I think this is it:

Chain dmzholes (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.1.2 192.168.0.3 state NEW tcp dpt:tftp
ACCEPT udp -- 192.168.1.2 192.168.0.3 state NEW udp dpt:tftp

Looking at this you can see that I opened up both a UDP and TCP since I really am not sure what I am doing.

ken_yap · #9 (**permalink**) 10-Sep-2008, 19:10

Shouldn't need TCP but doesn't hurt. I'm not sure how NEW interacts with UDP since there is no concept of a pipe in UDP, although you can track a connection. Anyway you can only give it a shot. If the web interface isn't powerful enough you may have to insert some rules by hand. Also you might ask the Smoothwall forum whether the web interface can be used to create a UDP pinhole. (I don't use Smoothwall, although I have in the past.)

sd_read · #10 (**permalink**) 10-Sep-2008, 19:23

I think I have learned something. If I plug the linux blackfin board (192.168.1.2) into my internal lan (192.168.0.1) where my Suse server is (192.168.0.3) running the TFTP server than it will load my blackfin board with a linux image.

And I see that being recorded in /var/log/xinetd.log.

So, to me that means the Suse server is doing what it should be doing and so the problem must be in the Smoothwall which I need to investigate further.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode