tftp server | narrabilis.com

By thomas, Tue, 04/07/2009 - 00:39

Tftp is the trivial file transfer protocol. It is a very low overhead file transfer protocol for which a client is contained in the boot roms of most ethernet cards. After our client machines receive their ip address information from dhcp, they will receive the ip address of our tftp server and a filename to load into memory and execute.

The tftp server is a service that runs from xinetd. xinetd is a server that runs at boot time and handles incoming connections on a number of services, it is sometimes called the "super server". To allow the tftp server to run, we need to enable xinetd first and then turn on tftp. [root@server0 ~]# chkconfig --list xinetd xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off [root@server0 ~]# chkconfig --list tftp tftp off [root@server0 ~]# chkconfig tftp on [root@server0 ~]# service xinetd start Starting xinetd: [ OK ] Configuration files for xinetd are stored in /etc/xinetd.d. The configuration file for tftp is /etc/xinetd.d/tftp. Chkconfig makes turning on an xinetd service very simple, to enable a service manually, you need to edit it's xinetd configuration file and change the line that reads disable=yes to disable=no. Take a moment to look at this file and familiarise yourself with the configuration options. In particular, the root directory of the tftp server is set in this file.

Now that tftp is up an running, we will test it by transferring a file from the server using the client program tftp^*

[root@server0 ~]# ls -l /etc/services
-rw-r--r-- 1 root root 362031 Feb 23  2006 /etc/services
[root@server0 ~]# cd /tftpboot
[root@server0 tftpboot]# cp /etc/services .
[root@server0 tftpboot]# cd
[root@server0 ~]# tftp localhost
tftp> get services
tftp> quit
[root@server0 ~]# ls -l services
-rw-r--r-- 1 root root 362031 Apr 30 23:33 services

Now that we know our tftp server is working properly, we need to make sure clients can reach the server, tftp runs on udp port 69.

[root@server0 ~]# iptables -I RH-Firewall-1-INPUT -p udp --destination-port 69 -j ACCEPT
[root@server0 ~]# iptables-save >/etc/sysconfig/iptables

The tftp protocol works differently than the other services we've covered so far. The client and server decide on ephemeral^** ports to communicate on and then do the file transfer on those ports. Since our iptables rule only allows communication on port 69, we need to tell iptables to use a module that can track the ports used by tftp. This module is ip_conntrack_tftp, we enable the module in /etc/sysconfig/iptables-config. Find the line that starts with IPTABLES_MODULES= and add ip_conntrack_tftp to this line if it doesn't already exist. Reload iptables after that to load the module.

[root@server0 sysconfig]# grep "IPTABLES_MODULES=" iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns"
[root@server0 sysconfig]# sed -i.bak -e 's/\(IPTABLES_MODULES=\"\)/\1ip_conntrack_tftp /' iptables-config
[root@server0 sysconfig]# grep "IPTABLES_MODULES=" iptables-config
IPTABLES_MODULES="ip_conntrack_tftp ip_conntrack_netbios_ns"
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_tftp ip_c[  OK  ]_netbios_ns

We can now try tftp from our client machine, but again due to the way tftp works, we need to load the ip_conntrack_tftp module on our client machine also.

[root@client0 ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: ip_conntrack_tftp    [  OK  ]
[root@client0 ~]# tftp server1
tftp> get services
tftp> quit
[root@client0 ~]# ls -l services
-rw-r--r-- 1 root root 362031 2009-05-01 15:59 services

Now that we've verified that tftp is working properly, we need the boot files for our clients, these are contained in the package system-config-netboot. The most important is the first file that is used to bootstrap the client, pxelinux.0

[root@server0 tftpboot]# yum install system-config-netboot-cmd system-config-netboot
...
Installed: system-config-netboot.noarch 0:0.1.45.1-1.el5 system-config-netboot-cmd.noarch 0:0.1.45.1-1.el5
Complete!
[root@server0 tftpboot]# ls linux-install/
msgs  pxelinux.0  pxelinux.cfg

At this point we have the dns server, tftp server and http server running, we need one more service to tie everything together, dhcp.

^* tftp, the client program is in the rpm tftp. We tested this from the server, your server should have the minimum number of packages installed, for testing you can install the tftp rpm and then remove it when you are done using rpm -e tftp. ^** ephemeral ports are pseudorandomly chosen ports that are typically highly numbered (much higher than 1024).