LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

LVS-NAT Active FTP issue...

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: LVS-NAT Active FTP issue...
From: Mark de Vries <markdv.lvsuser@xxxxxxxxxx>
Date: Fri, 25 Nov 2005 11:18:03 +0100 (CET)
Problem found...

The thing is that ip_vs(_ftp) seems to assume that the ftp-data connection
will be initiated from port 20. Seems like a valid assumption...

But unfortunately this is not always the case... the vsftpd I was testing
with was configured to "connect_from_port_20=NO" by default. Once I
swithched to "=YES" active FTP worked fine.

"connect_from_port_20=NO":
IPVS: PORT 10.31.12.172:32847 detected
IPVS: Bind-dest TCP c:10.31.12.172:32847 v:10.31.7.250:20 d:10.0.0.100:20 fwd:M 
s:0 flg:100 cnt:1 destcnt:5
IPVS: lookup/out TCP 10.0.0.100:32774->10.31.12.172:32847 not hit

"connect_from_port_20=YES":
IPVS: PORT 10.31.12.172:32849 detected
IPVS: Bind-dest TCP c:10.31.12.172:32849 v:10.31.7.250:20 d:10.0.0.100:20 fwd:M 
s:0 flg:100 cnt:1 destcnt:5
IPVS: lookup/out TCP 10.0.0.100:20->10.31.12.172:32849 hit
IPVS: After SNAT: TCP 10.31.7.250:20->10.31.12.172:32849
IPVS: TCP output  [..A.] 10.0.0.100:20->10.31.12.172:32849 state: 
SYN_RECV->ESTABLISHED cnt:2

So.... Now the question is: is this a vsftpd 'problem'? MUST ftp-data
connections originate from port 20? Or should this assumption be relaxed?

Aparently the iptables contrack_ftp module does not assume it; Connections
from ports other then 20 are considered "RELATED".
(I have not checked the src or debugged anything, I just observed that
this type of connection is indeed matched by a "RELATED" rule in my own
iptables setup.)

Regards,
Mark


<Prev in Thread] Current Thread [Next in Thread>