LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Active ftp w/ lvs NAT broken?

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Active ftp w/ lvs NAT broken?
From: Ranga Nathan <kairanga@xxxxxxx>
Date: Tue, 22 Nov 2005 11:20:02 -0800
Doesn't FTP use port 20 for data transfer? I am not sure if it is active or passive that does it. Looks like port 20 traffic may be going to the load balancers.
You may want to add port 20 to your configuration.
You should not have this problem if you use firewall marks and drop port-based balancing. Of course this will open up traffic for all ports on the real servers :-)

Mark de Vries wrote:

Hi,

I have little setup where I balance mulitple FTP services behind a pair of
ip_vs loadbalancers. Each box has it's own public IP and there are 6 or so
VIPs/aliasses that are on which ever box is the active balancer. FTP
services are balacend to two hosts with lvs-NAT.

No I've noticed that active FTP is borken. On the client side I can see
that the ftp-data connection is comming from the IP of the loadbalancer
instead of the VIP I made the innitial connection to.

I have:

Prot LocalAddress:Port Scheduler Flags
 -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  IP1:80 wlc persistent 1800
 -> 10.31.67.203:80              Masq    10     0          0
 -> 10.31.67.202:80              Masq    10     0          0
TCP  IP2:80 wlc
 -> 10.31.67.207:8587            Masq    10     3          8
 -> 10.31.67.207:8586            Masq    10     1          12
 -> 10.31.67.207:8585            Masq    10     2          10
TCP  IP3:21 wlc
 -> 10.31.67.203:21              Masq    10     15         62
 -> 10.31.67.202:21              Masq    10     16         53
TCP  IP4:21 wlc persistent 1800
 -> 10.31.67.209:21              Masq    10     0          0
 -> 10.31.67.208:21              Masq    10     0          0
TCP  IP5:21 wlc persistent 1800
 -> 10.31.67.206:21              Masq    10     0          0
 -> 10.31.67.205:21              Masq    10     0          0

When I connect to IP3:ftp everything works fine untill I initiata a data
transfer. On the client I see an incomming connection from IP0 (the
primary IP of the balancer which has no virtual services) which is refused
by the client because it comes from the wrong IP.

Passive ftp works fine.

The kernel version is 2.6.12.6. The ip_vs_ftp module is loaded (and also
tried with and without ip_conntrack_ftp)... And I don't know where to look
for the problem.

Any help welcome! :)

Regards,
Mark



<Prev in Thread] Current Thread [Next in Thread>