LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: ipchains filter rules for ftp-proxy - done

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ipchains filter rules for ftp-proxy - done
From: Roberto Nibali <ratz@xxxxxx>
Date: Thu, 21 Jun 2001 11:34:30 +0200
Hi Alois,

I'm really sorry I haven't replied earlier but I get no time anymore
to contribute to this project from my employer. I'm in progress of
setting up my testing and development environment at home, so I can
independantly work there but this will take some time.

Alois Treindl wrote:
> 
> I think I got it, by thinking a bit more clearly and watching my
> ipchains filter with more logging enabled.

Joe, I send you an updated version of the SuSE ftp-proxy evaluation
where I either write it in a way everybody can use it or I just drop
to mention that fw-* rules which make only sense for terreActive
firewalls.
 
> For my setup of a not-loadbalanced ftp-proxy service on LVS-NAT,
> no entry in ipvsadm is needed.
> Everything is handled by ftp-proxy on the director.

So you have the policy DENY on the input chain?
 
> I report it to the list because others may have the same problem,
> to set up an ftp proxy on a LVS system.
> 
> Configuration details:
> 
> in ftp-proxy.conf the only lines uncommented are:
> 
> DestinationAddress 10.1.1.1
> DestinationPort 21
> Listen          195.49.62.59

hmm, does this really work? If you redirect packets they won't
reach the proxy in 2.2.x kernel if the listener is not INADDR_ANY.
At least I couldn't get it working and if you follow the path
in the kernel it is not possible that this would work. But I need
to reread my comments I once made about this before stating this.

> PassiveMinDataPort      41000
> PassiveMaxDataPort      41999

My configuration is:

ServerType standalone
AllowTransProxy yes
ServerRoot /var/tmp
DestinationAddress 1.1.1.99
DestinationTransferMode passive
Listen 0.0.0.0
Port 43012
LogDestination daemon
PassiveMinDataPort 22048
PassiveMaxDataPort 23071
PidFile /var/run/ftpproxy.pid
TimeOut 300
ForkLimit 4096
WelcomeString 'FTP-Server ready'
 
> in my ipchains ruleset I have:
> # allow incoming ftp command connections on VIP
> -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 21 $L
> # data connections in active mode
> -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 20 $L
> # allow data connections in passive mode
> -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP}
> ${FTP_PORTS} $L

But then your policy is ACCEPT.
 
> where
> FTP_PORTS="41000:41999"
> NPORTS="1024:65535"
> ALL=0/0
> VIP=195.49.62.59

So this is the setup you're happy with?

> ---- setup -------------------
> 
>         |
>         | eth1: real address $DEP, virtual address eth1:0 $VIP
>         | DEP=195.49.62.58         VIP=195.49.62.59
> +---------------------+
> | LVS-NAT director    |  running kernel 2.2.19
> | ipchains firewall   |
> | ftp-proxy           |
> +---------------------+

Very nice :)

Have a nice day,
Roberto Nibali, ratz

-- 
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`


<Prev in Thread] Current Thread [Next in Thread>