|
I think I got it, by thinking a bit more clearly and watching my
ipchains filter with more logging enabled.
For my setup of a not-loadbalanced ftp-proxy service on LVS-NAT,
no entry in ipvsadm is needed.
Everything is handled by ftp-proxy on the director.
I report it to the list because others may have the same problem,
to set up an ftp proxy on a LVS system.
Configuration details:
in ftp-proxy.conf the only lines uncommented are:
DestinationAddress 10.1.1.1
DestinationPort 21
Listen 195.49.62.59
PassiveMinDataPort 41000
PassiveMaxDataPort 41999
in my ipchains ruleset I have:
# allow incoming ftp command connections on VIP
-A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 21 $L
# data connections in active mode
-A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 20 $L
# allow data connections in passive mode
-A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP}
${FTP_PORTS} $L
where
FTP_PORTS="41000:41999"
NPORTS="1024:65535"
ALL=0/0
VIP=195.49.62.59
Alois
---- setup -------------------
|
| eth1: real address $DEP, virtual address eth1:0 $VIP
| DEP=195.49.62.58 VIP=195.49.62.59
+---------------------+
| LVS-NAT director | running kernel 2.2.19
| ipchains firewall |
| ftp-proxy |
+---------------------+
| eth0: 10.1.1.254 hostname="w0"
|
|
switch--------------- other real http servers w2, w3, w4, ...
|
| eth0: 10.1.1.1 hostname="w1"
+---------------------+
| http server | running kernel 2.4.5
| ftp server |
----------------------+
|
