• Home
  • About Me
  • Contact Me
3750 ADS aix backup catalyst Centos cisco ftp hmc ibm juniper linux network nfs p-series radius recovery router search form services for unix sfu smitty ssh steel belted switch tftp unix upgrade vio vpn
more tags
Home

Setup Centos 5 Linux as a TFTP server for backing up routers and other network devices

Submitted by guvnor on Tue, 04/21/2009 - 13:11
  • backup
  • Centos
  • cisco
  • linux
  • network
  • tftp
  • unix

If you need to backup your network device's (you know Cisco, HP etc) running configuration, one of the most common ways to do this is via a TFTP server. There are various tftp solutions out there and this guide covers setting up a centos box on how to become a tftp server. There a few guides out there already but this one covers Centos 5 Linux specifically.

Step 1.
You need to install the tftp-server service and the xinetd service software using yum.
The xinetd service is required as this controls the tftp server daemon.

To do this from the command line issue the command

yum install tftp-server
yum install xinetd

Step 2.
Now the tftp server is installed we need to make a small ammendment to enable external hosts (routers switches etc) to use this service

To make this change alter the server_args line under found in the file /etc/xinetd.d/tftp to read

"server_args = -c -s /tftpboot"

service tftp
{
        disable = no
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s  /tftpboot
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

Set the tftp and xinetd services to start up

chkconfig tftp on
chkconfig xinetd on

If the xinetd service doesn't start then issue this command


service xinetd start

This will create a directory at root level called /tftpboot. This is the directory used for the TFTP service. To UPLOAD files to this you will have to set write permissions on this directory. Use the CHMOD command for this


chmod 777 /tftpboot

Step 3.
Next alter your iptables firewall configuration to allow tftp transfers

Firstly add these lines to the /etc/sysconfig/iptables file

#tftp rules
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m udp -p udp --dport 69 -j ACCEPT
#end tftp rules

NOTE! Change the 192.168.1.0/24 entries to match your own subnet. Or better still put the individual ip addresses of your connecting network hosts.

secondly add the tftp ip_conntrack_tftp to the /etc/sysconfig/iptables-config file

I placed it under the Load Additional modules section so it looks like this (note mine alread had a ip_commtrack_netbios_ns module added):

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_tftp"

Optional Step 4.Configure SELINUX.

If you have SELINUX running SELINUX won't allow you to PUT or upload files to your TFTP server. This is of course is useless if you are trying to backup a network device to this host. You can either turn off SELINUX altogether or configure SELINUX to work with TFTP.

Step 4.1. Disable SELINUX

Temporarily disable:

echo 0 > /selinux/enforce


Permanently disable:

In the the file /etc/selinux/config

change the line SELINUX=enforcing to say SELINUX=disabled

Step 4.2 Better still configure SELINUX to work with TFTP service.

There is a tool called audit2allow which will allow you to create custom SELINUX policies to enable operations (in this case tftp write operations).

To use this you need to examine your servers audit logs. /var/log/audit/audit.log This is where selinux logs errors. If you are recieving permission denied errors when uploading or putiing files due to SELINUX have a check of this log - if SELINUX is causing the problem you will see an error log entry that looks like this:

type=AVC msg=audit(1245199930.280:31): avc:  denied  { write } for  pid=2584 comm="in.tftpd" name="tftpb                  oot" dev=dm-0 ino=1747009 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t                  ftpdir_t:s0 tclass=dir
type=SYSCALL msg=audit(1245199930.280:31): arch=40000003 syscall=5 success=no exit=-13 a0=805e7a2 a1=804                  1 a2=1b6 a3=8041 items=0 ppid=2565 pid=2584 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=                  99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=system_u:sys                  tem_r:tftpd_t:s0-s0:c0.c1023 key=(null)

Using this error and the audit2allow tool we can create a policy that allows TFTP writes.

Step 1.
Create some policy rules to load into SELINUX. Using the grep command input log entries which match our error from the audit file to the audit2allow tool.


grep tftpd_t /var/log/audit/audit.log | audit2allow -M tftplocal

NOTE!

The audit2allow tool isn't infalible and sometimes you might want to check the rules that are contained in the output module the above command has created aren't too relaxed. These rules are kept in a file called tftplocal.te that gets created as a result of the above command. Understanding the rules is beyond the scope of this article, however this is what is required to create a policy for allowing tftp 'writes'.

module tftplocal 1.0;

require {
        type tftpd_t;
        type tftpdir_t;
        class dir { write add_name };
        class file { write create };
}

#============= tftpd_t ==============
allow tftpd_t tftpdir_t:dir { write add_name };
allow tftpd_t tftpdir_t:file { write create };

Step 2.

Import the selinux policy module created in step 1


semodule -i tftplocal.pp

  • Add new comment
Tiaras Dog Harnesses