Ubuntu-Server
Tftp Server Using Py3tftp

TFTP Procedure Manual: Installing, Setting Up, and Using py3tftp with Port Forwarding

Important Security Note: TFTP (Trivial File Transfer Protocol) is **Note: ** TFTP does not encrypt data or provide authentication, meaning that any file transferred over TFTP can potentially be intercepted. Additionally, TFTP can be used by unauthorized users to read or write files from your device if proper precautions are not in place. It's essential to limit the use of TFTP to trusted environments and, if possible, employ security measures like VPNs or firewalls to restrict access to the TFTP server. Always consider using more secure alternatives (such as FTP or SCP) if security is a concern.

We will be installing, configuring, and using the py3tftp TFTP server on an Ubuntu machine. It includes instructions for standard setup, port forwarding, and transferring files to a Cisco device.

1. Install py3tftp

py3tftp is a lightweight and easy-to-use TFTP server implemented in Python.

  1. Update the package list and install Python 3 (if not already installed):

    sudo apt update
sudo apt install python3 python3-pip

  2. Install the py3tftp package via pip:

    pip3 install py3tftp

  3. Verify the installation:

    py3tftp --version

2. Set Up py3tftp

  1. Create a Directory for TFTP Files: Choose a directory to store the files you want to serve:

    mkdir ~/tftp_root
chmod 777 ~/tftp_root

  2. Place the IOS Image in the TFTP Root Directory: Copy the Cisco IOS image (or any other required file) to the tftp_root directory:

    cp /path/to/ios-image.bin ~/tftp_root

  3. Start the TFTP Server: Run the py3tftp server on the desired interface and port. By default, TFTP uses UDP port 69, but you can specify an alternate port if needed:

    • Standard port: 
      sudo py3tftp -i <server-ip> -p 69
    • Custom port (e.g., 9069): 
      py3tftp -i <server-ip> -p 9069

    Replace <server-ip> with the IP address of your Ubuntu machine (e.g., 192.168.1.100).

3. Enable Port Forwarding (Optional for Custom Ports)

If using a custom port (e.g., 9069), TFTP clients like Cisco IOS may not allow specifying the port. In this case, configure port forwarding to redirect traffic from port 69 to the custom port.

  1. Set Up Port Forwarding with iptables: Use iptables to redirect TFTP traffic:

    sudo iptables -t nat -A PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 9069

  2. Verify the Port Forwarding: Check if the rule is applied:

    sudo iptables -t nat -L -v

  3. Save the Rules: Ensure the rule persists after reboot. Install iptables-persistent and save the configuration:

    sudo apt install iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload

4. Configure Cisco Router or Switch

To copy a file from the TFTP server to a Cisco device, use the copy tftp command.

  1. Verify Connectivity: Test the connection between the Cisco device and the TFTP server:

    ping <server-ip>

  2. Copy the File to Flash Memory:

    • Standard port (69): 
      copy tftp://<server-ip>/<image-file> flash:
    • Custom port (9069) with port forwarding enabled: 
      copy tftp://<server-ip>/<image-file> flash:

  3. Follow the Prompts: Provide the source filename, destination filename, and confirm the operation.

  4. Verify the Transfer: Check the flash memory for the copied file:

    dir flash:

5. Additional Tips

  1. Firewall Rules: Allow UDP traffic on the TFTP port (69 or custom) in the Ubuntu firewall:

    sudo ufw allow 69/udp

  2. Troubleshooting:

    • Check if the TFTP server is running: 
      sudo netstat -tunlp | grep tftp
    • Monitor py3tftp logs for errors: 
      tail -f /var/log/syslog

  3. Stop the TFTP Server: To stop the TFTP server, use Ctrl+C or kill the process:

    sudo killall py3tftp

6. Sample Use Case

Transfer c2800nm-adventerprisek9-mz.124-25d.bin to a Cisco Router:

  1. Start py3tftp on port 9069:

    py3tftp -i 192.168.1.100 -p 9069

  2. Set up port forwarding:

    sudo iptables -t nat -A PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 9069

  3. Copy the file on the router:

    copy tftp://192.168.1.100/c2800nm-adventerprisek9-mz.124-25d.bin flash:

  4. Verify the file on the router:

    dir flash:

7. Clean Up

  1. Remove Port Forwarding:

    sudo iptables -t nat -D PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 9069

  2. Stop the TFTP Server:

    sudo killall py3tftp
Setting up ZshTurn Ubuntu into Router Firewall