Okay, since the global ipchains will work, I'll stick with it for now.
ipchains -A forward -j MASQ -s 10.75.0.0/16 -d 0.0.0.0/0
It's working with http/https/smtp/pop, I'm just getting that problem with
passive ftp.
In the -d 0.0.0.0/0 part of the ipchain, why is it zeros instead of the VIP?
Isn't the destination the VIP? I have multiple VIP interfaces on the LVS,
could this be a problem?
Is it worth trying to upgrade ip_masq_ftp to the version that comes with
2.2.19? Does it need things that are also in 2.2.19 kernel release? It
seems like that in_ports option helped one user in the archives.
Oh, and no funny filter rules, at least none that I set up intentionally
since don't know what they are.
-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
Sent: Wednesday, May 23, 2001 4:43 PM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx; Jeremy Kusnetz
Subject: Re: ip_masq_ftp nat passive
Jeremy Kusnetz wrote:
>
although Julian says that all you need with VS-NAT and ftp
is the ip_masq_ftp module, it doesn't work for me
(director 2.2.19-1.0.7 with ip_masq_ftp in_ports=21)
my ftp client just hangs.
hey Julian we need to go have a beer and talk about this.
I run these rules on the director and ftp works fine
ipchains -A forward -p tcp -J MASQ -s RIP ftp -d 0.0.0.0/0
ipchains -A forward -p tcp -J MASQ -s RIP ftp-data -d 0.0.0.0/0
ipchains -A forward -p tcp -J MASQ -s RIP 1025:65535 -d 0.0.0.0/0
> Here are the IP chains I'm setting up:
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> ipchains -F
> ipchains -A forward -j MASQ -s 10.75.0.0/16 -d 0.0.0.0/0
>
> I tried setting up ipchains like your script does, but I got connection
> refused errors when trying to ftp,
this means that your ftp connect request went to a machine that doesn't have
an ftpd listening. Either you don't have ipvsadm with an ftp entry in it
(ie ftp requests are not being forwarded and the director isn't accepting
ftp requests on the VIP either) or the real-server to which the requests
are being forwarded isn't listening on port:ftp (this doesn't seem likely
- all machines have ftpd on them).
You don't have funny filter rules do you? (it's the topic of the week, I'm
afraid).
> so I put it back the way I originally had
> it. I tried this:
>
> ipchains -A forward -p tcp -j MASQ -s 10.75.0.9 ftp -d 0.0.0.0/0
> ipchains -A forward -p tcp -j MASQ -s 10.75.32.9 ftp -d 0.0.0.0/0
> ipchains -A forward -p tcp -j MASQ -s 10.75.64.9 ftp -d 0.0.0.0/0
I would expect that it wouldn't work as you only have port-ftp here, rather
than ftp,ftp-data and 1025:65535
> Can I do a global like I have above,
yes. I did it the way I did (one line for each server:service) so that
only the servers:services I wanted would be MASQ'ed. The way you have it,
some machine on the 10.75.0.0 network that's not a part of the LVS wouldn't
be able to get out. I'm just being extra safe. One day someone will wheel
a machine in and turn it on and it won't work and you won't be there
to tell them why :-)
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|