|
On Wed, 7 Dec 2005, Rob Ruth wrote:
> When I load the ip_vs_ftp it causes additional/different problems.
>
> Without ip_vs_ftp I get the following when I do a directory listing on
> the ftp server:
>
> ftp> ls
> 227 Entering Passive Mode (198,X,X,X,217,208) <-- my public ip which
> it nat'd on the firewall back to the vip on lvs
> ftp: connect: Connection refused
Your public IP? Hmmmm....
You are trying to ftp from which machine to which server? The "Entering
Passive Mode" message should display the IP from the server you are doing
the ftp session to, not that of the client, so I don't understand...
Rgds,
Mark.
> When I load ip_vs_ftp I get the following:
>
> ftp> ls
> 227 Entering Passive Mode (172,16,123,25,220,5). <-- internal non-public
> vip
> long stall and eventual timeout...
>
> I'm using proftpd which is setup to masquerade the public IP but as soon
> as I load ip_vs_ftp it seems to take over.
>
> Mark de Vries wrote:
>
> >On Tue, 6 Dec 2005, Rob Ruth wrote:
> >
> >
> >
> >>I am having issues getting passive ftp up and running and have read
> >>through the archives but have yet to find a fix. My current setup is as
> >>follows:
> >>
> >>lvs public ip - 172.16.123.24
> >>lvs private ip - 10.0.0.252
> >>virtual ip - 172.16.123.25
> >>real server - 10.0.0.95
> >>
> >>I have narrowed down my issue to outbound nat. When the server connects
> >>back to the client it is coming from the lvs public ip (172.16.123.24)
> >>
> >>
> >
> >That's active ftp. Do you have the ip_vs_ftp module loaded (or compiled
> >in)? That should do the trick.
> >
> >The only time I've had this problem was with vsftpd when configured to
> >initiate the connection from an unpriv port instead of the normal ftp-data
> >port.
> >
> >I'm (trying to) create a patch that will allow ip_vs to work in this case
> >too.
> >
> >
> >
> >>not the virtual ip (172.16.123.25). I've been playing around w/
> >>postrouting rules in iptables but can't seem to get it working. Any
> >>suggestions on a fix?
> >>
> >>
> >
> >Hmmm... I was able to fix it like that. Something like:
> >
> >iptables -t nat -[AI] POSTROUTING -s RIP -o PUB_INTF -j SNAT --to-source
> >VIP
> >
> >Make sure the rule is before any general SNAT/MASQUERADE rule...
> >
> >Regards,
> >Mark
> >
> >_______________________________________________
> >LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> >Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> >or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> >
> >
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
Regards,
Mark
|
