Re: ip_masq_ftp nat passive

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx, JKusnetz@xxxxxxxx
Subject:	Re: ip_masq_ftp nat passive
From:	Joseph Mack <mack.joseph@xxxxxxx>
Date:	Wed, 23 May 2001 16:42:43 -0400

Jeremy Kusnetz wrote:
> 

although Julian says that all you need with VS-NAT and ftp
is the ip_masq_ftp module, it doesn't work for me
(director 2.2.19-1.0.7 with ip_masq_ftp in_ports=21)
my ftp client just hangs.

hey Julian we need to go have a beer and talk about this.

I run these rules on the director and ftp works fine

ipchains -A forward -p tcp -J MASQ -s RIP ftp -d 0.0.0.0/0
ipchains -A forward -p tcp -J MASQ -s RIP ftp-data -d 0.0.0.0/0
ipchains -A forward -p tcp -J MASQ -s RIP 1025:65535 -d 0.0.0.0/0

> Here are the IP chains I'm setting up:
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> ipchains -F
> ipchains -A forward -j MASQ -s 10.75.0.0/16 -d 0.0.0.0/0
> 
> I tried setting up ipchains like your script does, but I got connection
> refused errors when trying to ftp, 

this means that your ftp connect request went to a machine that doesn't have
an ftpd listening. Either you don't have ipvsadm with an ftp entry in it 
(ie ftp requests are not being forwarded and the director isn't accepting
ftp requests on the VIP either) or the real-server to which the requests
are being forwarded isn't listening on port:ftp (this doesn't seem likely
- all machines have ftpd on them).

You don't have funny filter rules do you? (it's the topic of the week, I'm
afraid). 

> so I put it back the way I originally had
> it.  I tried this:
> 
> ipchains -A forward -p tcp -j MASQ -s 10.75.0.9 ftp -d 0.0.0.0/0
> ipchains -A forward -p tcp -j MASQ -s 10.75.32.9 ftp -d 0.0.0.0/0
> ipchains -A forward -p tcp -j MASQ -s 10.75.64.9 ftp -d 0.0.0.0/0

I would expect that it wouldn't work as you only have port-ftp here, rather
than ftp,ftp-data and 1025:65535

> Can I do a global like I have above, 

yes. I did it the way I did (one line for each server:service) so that
only the servers:services I wanted would be MASQ'ed. The way you have it,
some machine on the 10.75.0.0 network that's not a part of the LVS wouldn't
be able to get out. I'm just being extra safe. One day someone will wheel
a machine in and turn it on and it won't work and you won't be there
to tell them why :-)

Joe
-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA

<Prev in Thread]	Current Thread	[Next in Thread>
ip_masq_ftp nat passive, Jeremy Kusnetz Re: ip_masq_ftp nat passive, Joseph Mack Re: ip_masq_ftp nat passive, Julian Anastasov Re: ip_masq_ftp nat passive, Jeremy Kusnetz Re: ip_masq_ftp nat passive, Joseph Mack <= Re: ip_masq_ftp nat passive, Julian Anastasov Re: ip_masq_ftp nat passive, Julian Anastasov RE: ip_masq_ftp nat passive, Jeremy Kusnetz Re: ip_masq_ftp nat passive, Joseph Mack RE: ip_masq_ftp nat passive, Jeremy Kusnetz Re: ip_masq_ftp nat passive, Joseph Mack RE: ip_masq_ftp nat passive, Jeremy Kusnetz RE: ip_masq_ftp nat passive, Julian Anastasov RE: ip_masq_ftp nat passive, Jeremy Kusnetz Re: ip_masq_ftp nat passive, Joseph Mack

Previous by Date:	Re: ip_masq_ftp nat passive, Jeremy Kusnetz
Next by Date:	Re: ip_masq_ftp nat passive, Julian Anastasov
Previous by Thread:	Re: ip_masq_ftp nat passive, Jeremy Kusnetz
Next by Thread:	Re: ip_masq_ftp nat passive, Julian Anastasov
Indexes:	[Date] [Thread] [Top] [All Lists]