TR: Connection tracking with lvs

To: "'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: TR: Connection tracking with lvs
From: Stéphane Klein <sklein@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Aug 2004 15:23:03 +0200
I transfer this mail to the mailing list.
If anyone can help me!


> Hi julian,
> Thanks for your response,
> I've found my error, which was i didn't enabled conntrack with
> echo 1 > /proc/...
> But , i've tried to use your example to setup active and passive FTP.
> I can authenticate, but i can't list or send data. I can see packet
> in the conntrack file that with dport=20, but the ftp server tried 
> to send a SYN_SENT and have no reply.
> ip_vs_ftp is loaded as module
> ip_nat_ftp and ip_conntrack_ftp are in the kernel
> I used iptables rules of your example in the HOWTO.
> I saw this article where you said it's necessary to patch the 
> kernel to work
> with ip_nat_ftp 
> (
> That patch is for kernel 2.6.5. Is this patch included in 
> your nfct patch or is
> it necessary to apply this patch?
> Could you explain tell me what module is necessary for 
> iptables and active and passive ftp?
> Best regards
>       Hello,
> On Thu, 26 Aug 2004, Stéphane Klein wrote:
> > Hi Julian
> >
> > First i want to congratulate you for all your work.
> >
> > I installed IPVS 1.0.11 (kernel 2.4.27) with heartbeat 
> 1.0.4 and ldirectord.
> > Iptables is in the 1.2.11 version.
> >
> > I did not need to install Firewall on this installation, 
> but now, i need it.
> > I've read the document at:
> >
> So  installed your patch found at:
> I enabled the CONFIG_IP_VS_NFCT and recompiled the kernel.
> Here are my rules to enable http service:
> $IPTABLES -A INPUT  -i eth1 -p tcp -m multiport -d $VIP --destination
> -port 80,21  -m state --state NEW  -j RULE_2
> $IPTABLES -A RULE_2   -j LOG  --log-level info --log-prefix "RULE 2 --
> $IPTABLES -A FORWARD -p tcp -m state --state R,E -j ACCEPT

        All out->in traffic passes INPUT (not FORWARD as in
netfilter), you can not allow only NEW packets. FORWARD is passed only for 
in->out traffic for NAT. I just inserted some iptables examples in howto:

        You can use similar rules.

You can also read about the netfilter hooks LVS uses here:

        And may be the LVS HOWTO has more information, there are
so many email positing included there.


Julian Anastasov <ja@xxxxxx>
<Prev in Thread] Current Thread [Next in Thread>