TR: Connection tracking with lvs

To:	"'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	TR: Connection tracking with lvs
From:	Stéphane Klein <sklein@xxxxxxxxxxxxxxxxxxx>
Date:	Fri, 27 Aug 2004 15:23:03 +0200

I transfer this mail to the mailing list.
If anyone can help me!

Thanks

> 
> Hi julian,
> 
> Thanks for your response,
> I've found my error, which was i didn't enabled conntrack with
> echo 1 > /proc/...
> 
> But , i've tried to use your example to setup active and passive FTP.
> I can authenticate, but i can't list or send data. I can see packet
> in the conntrack file that with dport=20, but the ftp server tried 
> to send a SYN_SENT and have no reply.
> 
> ip_vs_ftp is loaded as module
> ip_nat_ftp and ip_conntrack_ftp are in the kernel
> 
> I used iptables rules of your example in the HOWTO.
> 
> I saw this article where you said it's necessary to patch the 
> kernel to work
> with ip_nat_ftp 
> (http://www.in-addr.de/pipermail/lvs-users/2004-June/011955.html)
> That patch is for kernel 2.6.5. Is this patch included in 
> your nfct patch or is
> it necessary to apply this patch?
> 
> Could you explain tell me what module is necessary for 
> iptables and active and passive ftp?
> 
> Best regards
> 
>
> 
> 
> 
>       Hello,
> 
> On Thu, 26 Aug 2004, Stéphane Klein wrote:
> 
> > Hi Julian
> >
> > First i want to congratulate you for all your work.
> >
> > I installed IPVS 1.0.11 (kernel 2.4.27) with heartbeat 
> 1.0.4 and ldirectord.
> > Iptables is in the 1.2.11 version.
> >
> > I did not need to install Firewall on this installation, 
> but now, i need it.
> > I've read the document at:
> > 
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html
> So  installed your patch found at:
> http://www.ssi.bg/~ja/nfct/ipvs-nfct-2.4.26-1.diff
> I enabled the CONFIG_IP_VS_NFCT and recompiled the kernel.
>
> Here are my rules to enable http service:
> $IPTABLES -A INPUT  -i eth1 -p tcp -m multiport -d $VIP --destination
> -port 80,21  -m state --state NEW  -j RULE_2
> $IPTABLES -A RULE_2   -j LOG  --log-level info --log-prefix "RULE 2 --
> ACCEPT "
> $IPTABLES -A RULE_2   -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -m state --state R,E -j ACCEPT

        All out->in traffic passes INPUT (not FORWARD as in
netfilter), you can not allow only NEW packets. FORWARD is passed only for 
in->out traffic for NAT. I just inserted some iptables examples in howto:

http://www.ssi.bg/~ja/nfct/

        You can use similar rules.

You can also read about the netfilter hooks LVS uses here:

http://www.ssi.bg/~ja/LVS.txt

        And may be the LVS HOWTO has more information, there are
so many email positing included there.

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread]	Current Thread	[Next in Thread>
TR: Connection tracking with lvs, Stéphane Klein <= Re: TR: Connection tracking with lvs, Julian Anastasov RE: TR: Connection tracking with lvs, Stéphane Klein Re: TR: Connection tracking with lvs, Joseph Mack RE: TR: Connection tracking with lvs, Stéphane Klein RE: TR: Connection tracking with lvs, Julian Anastasov

Previous by Date:	Re: LVS-NAT and packets originating from realserver, Joseph Mack
Next by Date:	Connection synchronization on RHAS 3, Albert Hopkins
Previous by Thread:	Re: Geographic Loadbalancing.., Josh Marshall
Next by Thread:	Re: TR: Connection tracking with lvs, Julian Anastasov
Indexes:	[Date] [Thread] [Top] [All Lists]