Hi, I have a setup where the tftp server is inside the firewall. Now the issue is tftp client send request on dynamic udp port. Can anyone give some idea, how i can bind the fixed port for client udp requests ? Otherwise i hope, it is not a solution that i will open all port related to UDP in the firewall. Regards, lingu -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080609/5cdc599f/attachment-0002.html>
I use tftp through a masquerading firewall. To set it up I edited (on the CentOS-4 firewall) /etc/sysconfig/iptables-config and set IPTABLES_MODULES="ip_nat_tftp ip_conntrack_tftp" I think ip_conntrack_tftp is what you need. John. lingu wrote:> Hi, > > I have a setup where the tftp server is inside the firewall. > > Now the issue is tftp client send request on dynamic udp port. Can > anyone give some idea, how i can bind the fixed port for client udp > requests ? > Otherwise i hope, it is not a solution that i will open all port related > to UDP in the firewall. > > Regards, > lingu > > > ------------------------------------------------------------------------ > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos-- John Newbigin ITS Senior Analyst / Programmer Faculty of Information and Communication Technologies Swinburne University of Technology Melbourne, Australia http://www.ict.swin.edu.au/staff/jnewbigin
Hi , Thanx for your reply but my query is different already ip_conntrack_tftp is loaded in my centos . TFTP is working fine now ,but i want to toghten more security on iptables.Right now all of my udp port is opened, i dont want to do that .see my previous mail below #################################################################### I have a setup where the tftp server is inside the firewall. Now the issue is tftp client send request on dynamic udp port. Can anyone give some idea, how i can bind the fixed port for client udp requests ? Otherwise i hope, it is not a solution that i will open all port related to UDP in the firewall. ######################################################################### Regards, lingu On Mon, Jun 9, 2008 at 5:28 PM, lingu <hicheerup at gmail.com> wrote:> Hi, > > I have a setup where the tftp server is inside the firewall. > > Now the issue is tftp client send request on dynamic udp port. Can anyone > give some idea, how i can bind the fixed port for client udp requests ? > Otherwise i hope, it is not a solution that i will open all port related to > UDP in the firewall. > > Regards, > lingu >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080610/528164d5/attachment-0002.html>
If conntrack can track the TFTP sessions, then you should be able to filter it using -m state in iptables. iptables -A ... -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A ... -m state --state NEW -p udp --dport 69 -j ACCEPT You can have one rule in INPUT and the other in OUTPUT, or both in FORWARD with different -i and -o interfaces. If you give more details on your current topology, what's the access you want to allow, and what are your current rules, it might be easier to help you accomplish that exactly. HTH, Filipe