![]() But, as you'll see, the connection is only routed back to the client if the source port from the server is port 69 (regular old NAT)! Why is this? This is not the correct behaviour as far as I can tell. As you can also see, the expectation created in the EXPECT table has source port 0, which I assume means "any port". Pkts bytes target prot opt in out source destinationĥ9 2504 CT udp - * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 CT helper tftpĬhain OUTPUT (policy ACCEPT 280K packets, 36M bytes)Ĭhain POSTROUTING (policy ACCEPT 398 packets, 40794 bytes)ĥ678 349K MASQUERADE all - * enp1s0 0.0.0.0/0 0.0.0.0/0 All tables have default ACCEPT policy: = RAW Table =Ĭhain PREROUTING (policy ACCEPT 464K packets, 432M bytes) Iptables on the router has the following rules. The result is the that the router NATs the connection from the client to the server, sets up a translation rule for the return connection and happily waits for a return packet from the server with source port=69 that never arrives. According to RFC1350, the server is supposed to choose a random source port for its communication and direct it to the port that the client used as a source port originally (whew.). So only the regular MASQUERADE connection tracking is being used even though the conntrack table shows the expected return connection. The trouble I'm having is that the TFTP helper sets up an expectation for the return tftp connection (as expected) but, despite this, only traffic from port 69 on the TFTP server is getting translated and sent back to the client. I have configured iptables to use the Netfilter TFTP helper for tftp connections going to the TFTP server. The router is running iptables and is set to masquerade connections from the client's network to the server's network. They are connected via a router( Machine 'R'). I would appreciate some help with powershell but only if you have time.I have a TFTP server (Machine 'S') and a TFTP client (Machine 'C') on different subnets. Even just a positive response that the file exists through a TFTP request would be simpler. I have been through a lot of the forums here and elsewhere to come up with this idea but there is always better ways of doing things.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |