One of the article linked above suggests the following using iptables (which makes sense): iptables -A PREROUTING -t raw -p udp -dport 69 -s 192.168.11.0/24 -d 172.16.0.0/16 -j CT -helper tftp Nf_conntrack 155648 10 nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_conntrack_tftp,nft_ct,nf_nat_ipv6,nf_nat_ipv4,nf_nat_tftp,nft_masq,nft_masq_ipv4 The nf_*_tftp helpers are both loaded (regardless of the nf_contrack_helper setting): # lsmod | grep tftp With nf_contrack_helper=1, the outgoing packet is not even NATed at all: tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes I tried it with both settings for sysctl _contrack_helper (rebooted after changing the setting): # sysctl -a | grep conntrack_helper The response arrives at the router, but is not properly NATed to arrive at the client. With tcpdump, I see that the RRQ message travels successfully from 192.168.1.2 to 10.0.10.10. Unable to NAT TFTP traffic because iptables is not forwarding the return connection to the client despite TFTP helper creating an expectation
I need to do this with CentOS 8 with firewalld and nft as the backend. My question is similar to many others around the 'Net, but all the answers I found applied to CentOS 7 with iptables. I am trying to set up PXE booting (which requires TFTP) on one of my networking that is hiding behind a NAT router.
0 kommentar(er)
