TFTP reply with port not 69 can't go through NAT

Question

I had an Ubuntu laptop which I configured as a router. The topology looks like:

internet <---> laptop router <---> raspberry pi 3

NAT is enabled in the laptop to forward packets from raspberry pi 3 to the internet and also from the internet back to raspberry pi 3. Everything works fine except TFTP.

Every time I want to get a file from the TFTP server, it fails with a timeout. And after capturing the packet on the laptop, the root cause is found.

NAT use dest IP and dest port as a sign to forward back the frame to pi 3 when the reply comes back. But in the case of TFTP, TFTP requests send with IP and dest port 69, but the TFTP server replies the request with the same IP but a different random port. So this makes NAT confused and doesn't know where to forward this reply message. Finally, it replies back to the TFTP server with the error destination unreachable.

Though I know the cause, don't know how to fix this. Can anyone help me? Thanks!

score 1 · Answer 1 · answered Nov 26 '20 at 15:27

You need to mark the packets to use the TFTP-specific NAT module:

iptables -t raw -I PREROUTING -j CT -p udp -m udp --dport 69 --helper tftp

With nft:

table filter {
    ct helper tftp-69 {
        type "tftp" protocol udp
    }
    chain input {
        ...
        ct state new udp dport 69 ct helper set "tftp-69"
    }
}

score 0 · Accepted Answer · answered Nov 26 '20 at 19:16

0

You need to manualy load nat helper for tftp protocol. For nftables it is called nf_nat_tftp, for iptables you'll have to check it yourself (I don't have them readily available and it may be the same module).

answered Nov 26 '20 at 19:16

Tomek

1,288

TFTP reply with port not 69 can't go through NAT

2 Answers2