Re: outbound nat problem

[Rob Ruth <rruth@xxxxxxxxxxx>]

lvs public ip - 172.16.123.24 (dmz)
lvs private ip - 10.0.0.252 (lan)
virtual ip  - 172.16.123.25 (dmz)
real server - 10.0.0.95 (lan)
public (routable) ip - 198.x.x.x (wan)

I have two layers of nat. Firewall to lvs (wan -> dmz) and lvs to real 
server (dmz -> lan). The public IP is nat'd to the vip on my firewall.
Without ip_vs_ftp the passive mode message is displaying the publicly 
routable address (198.x.x.x). When I load ip_vs_ftp the message shows 
the vip which is on a private dmz (172.16.123.25).
sorry for the confusion...

Mark de Vries wrote:

> On Wed, 7 Dec 2005, Rob Ruth wrote:
>
>  
>
> > When I load the ip_vs_ftp it causes additional/different problems.
> >
> > Without ip_vs_ftp I get the following when I do a directory listing on
> > the ftp server:
> >
> > ftp> ls
> > 227 Entering Passive Mode (198,X,X,X,217,208)  <-- my  public ip which
> > it nat'd on the firewall back to the vip on lvs
> > ftp: connect: Connection refused
> >    
> Your public IP? Hmmmm....
>
> You are trying to ftp from which machine to which server? The "Entering
> Passive Mode"  message should display the IP from the server you are doing
> the ftp session to, not that of the client, so I don't understand...
>
> Rgds,
> Mark.
>
>  
>
> > When I load ip_vs_ftp I get the following:
> >
> > ftp> ls
> > 227 Entering Passive Mode (172,16,123,25,220,5). <-- internal non-public
> > vip
> > long stall and eventual timeout...
> >
> > I'm using proftpd which is setup to masquerade the public IP but as soon
> > as I load ip_vs_ftp it seems to take over.
> >    
>  
>
> > Mark de Vries wrote:
> >
> >    
> >
> > > On Tue, 6 Dec 2005, Rob Ruth wrote:
> > >
> > >
> > >
> > >      
> > >
> > > > I am having issues getting passive ftp up and running and have read
> > > > through the archives but have yet to find a fix. My current setup is as
> > > > follows:
> > > >
> > > > lvs public ip - 172.16.123.24
> > > > lvs private ip - 10.0.0.252
> > > > virtual ip  - 172.16.123.25
> > > > real server - 10.0.0.95
> > > >
> > > > I have narrowed down my issue to outbound nat. When the server connects
> > > > back to the client it is coming from the lvs public ip (172.16.123.24)
> > > >
> > > >
> > > >        
> > > That's active ftp. Do you have the ip_vs_ftp module loaded (or compiled
> > > in)? That should do the trick.
> > >
> > > The only time I've had this problem was with vsftpd when configured to
> > > initiate the connection from an unpriv port instead of the normal ftp-data
> > > port.
> > >
> > > I'm (trying to) create a patch that will allow ip_vs to work in this case
> > > too.
> > >
> > >
> > >
> > >      
> > >
> > > > not the virtual ip (172.16.123.25). I've been playing around w/
> > > > postrouting rules in iptables but can't seem to get it working. Any
> > > > suggestions on a fix?
> > > >
> > > >
> > > >        
> > > Hmmm... I was able to fix it like that. Something like:
> > >
> > > iptables -t nat -[AI] POSTROUTING -s RIP -o PUB_INTF -j SNAT --to-source
> > > VIP
> > >
> > > Make sure the rule is before any general SNAT/MASQUERADE rule...
> > >
> > > Regards,
> > > Mark
> > >
> > >
> > >
> > >      
> >    
>
> Regards,
> Mark
>
>