Colocation to Virtualization

This is just a quick walk-through on setting up TFTP service on a RedHat, Centos, or Fedora system. In general, this process should transfer over to other Linux (not BSD!) derived distributions.

[root@tftpsrv ~]# yum install tftp
Resolving Dependencies
--> Running transaction check
---> Package tftp-server.i386 0:0.42-3.1.el5.centos set to be updated
--> Processing Dependency: xinetd for package: tftp-server
--> Running transaction check
---> Package xinetd.i386 2:2.3.14-10.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 tftp-server             i386       0.42-3.1.el5.centos  base               27 k
Installing for dependencies:
 xinetd                  i386       2:2.3.14-10.el5  base              124 k

Transaction Summary
=============================================================================
Install      2 Package(s)
Update       0 Package(s)
Remove       0 Package(s)         

Total download size: 151 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): tftp-server-0.42-3 100% |=========================|  27 kB    00:00
(2/2): xinetd-2.3.14-10.e 100% |=========================| 124 kB    00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: xinetd                       ######################### [1/2]
  Installing: tftp-server                  ######################### [2/2]

Installed: tftp-server.i386 0:0.42-3.1.el5.centos
Dependency Installed: xinetd.i386 2:2.3.14-10.el5
Complete!

Edit configuration to enable tftp

[root@tftpsrv ~]# vi /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot        -> some directory (/tftpfiles)
        disable                 = yes            -> no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

Create directory specified in tftp configuration file

[root@tftpsrv xinetd.d]# mkdir /tftpfiles

Start up xinetd. This is used to call tftp

[root@tftpsrv ~]# /etc/init.d/xinetd start
Starting xinetd:                                           [  OK  ]

[root@tftpsrv xinetd.d]# iptables-save > /etc/init.d/iptables
[root@tftpsrv xinetd.d]# iptables -F

Below, the tftp put will fail. This is due to the file needing to be created on the TFTP server before the client can write to it. This is the only real security there is to TFTP. You at least need to know the filename before the file can be written or read.

C9124SW5# copy running-config tftp:CISCSCOCFG1
Enter hostname for the tftp server: 172.16.100.6
Trying to connect to tftp server......

TFTP put operation failed:Undefined error code (2)

Create the file to be saved from switch and change the permissions

[root@tftpsrv ~]# touch /tftpfiles/CISCSCOCFG1
[root@tftpsrv ~]# chmod 777 /tftpfiles/CISCSCOCFG1

Tell the switch to save the file

C9124SW5# copy running-config tftp:CISCSCOCFG1
Enter hostname for the tftp server: 172.16.100.6
Trying to connect to tftp server......
|
TFTP put operation was successful

Check the services file to find the TFTP port and protocol information

[root@tftpsrv]# cat /etc/services | grep tftp
tftp        69/tcp
tftp        69/udp

Bring the firewall back up so we can insert rules to allow TFTP in

[root@tftpsrv]# /etc/init.d/iptables restart

On my test server, the firewall chain is “RH-Firewall-1-INPUT”. I always prefer inserting new firewall rules as the first rule. Most servers keep a few custom reject rules and most are explicit allow with the default deny at the end. Inserting the new rule as the first will normally bypass those that might reject before it ever gets to the tftp rule.

[root@tftpsrv]# iptables -I RH-Firewall-1-INPUT 1 -s 172.16.100.98 -p tcp --dport 69 -j ACCEPT
[root@tftpsrv]# iptables -I RH-Firewall-1-INPUT 1 -s 172.16.100.98 -p udp --dport 69 -j ACCEPT

The above statements tell iptables to insert “-I” the new rule into the chain “RH-Firewall-1-INPUT” as rule number “1″. The -s is specifying the source, -p the protocol –dport the destination port and -j allows the connection to establish by jumping over to ACCEPT.

Verify the rules are there

[root@tftpsrv]# iptables -L
Chain RH-Firewall-1-INPUT
target     prot opt source               destination
ACCEPT     udp  --  172.16.100.98        anywhere            udp dpt:tftp
ACCEPT     tcp  --  172.16.100.98        anywhere            tcp dpt:tftp

Save the rules in sysconfig so they will be persistent through reboots

[root@tftpsrv]# iptables-save > /etc/sysconfig/iptables

Notes: Never flush your iptables rules “iptables -F” on production systems that are not protected by a firewall or are on are public IP. Always be sure to backup/save your iptables configuration when testing. Also, if you are not familiar with security, or there is someone else responsible for security in the company, as them before or have them modify the local iptables rules. Another good rule for servers running TFTP, FTP, Telnet, DNS, and mail is to have servers dedicated for each. These are some of the most exploited servers out there.