|
Hello,
I've recently (last night) migrated our company hosting site from single
publicly accessable servers onto a load balanced topology using LVS and
keepalived.
95% of the migration went smoothly; no problems at all, however there's
one service that's still failing: FTP.
I've spent all morning looking for a solution to this but I've not found
anything that's worked with active, nor passive, FTP.
Here's what I've got set up at the moment:
Real server: 10.1.0.20 (default GW 10.1.0.10)
Director: 10.1.0.10 (internal), 217.154.117.50 (floating external)
I've got the following modules loaded on the director:
----------------------------------------------
Module Size Used by Not tainted
ipt_MASQUERADE 1464 0 (autoclean)
ipt_MARK 760 0 (autoclean)
iptable_mangle 2136 0 (autoclean)
ip_vs_wlc 612 29 (autoclean)
ip_vs 51624 30 (autoclean) [ip_vs_wlc]
iptable_nat 17934 1 (autoclean) [ipt_MASQUERADE]
ipt_state 536 3 (autoclean)
ip_conntrack 19972 0 (autoclean) [ipt_MASQUERADE
iptable_nat ipt_state]
iptable_filter 1740 1 (autoclean)
ip_tables 12416 8 [ipt_MASQUERADE ipt_MARK
iptable_mangle iptable_nat ipt_state iptable_filter]
tg3 63436 2
rtc 6440 0 (autoclean)
----------------------------------------------
The part of my keepalived.conf that's relevant:
----------------------------------------------
virtual_server fwmark 1 {
delay_loop 6
! which lb technique?
lb_algo wlc
! we are doing NAT
lb_kind NAT
protocol TCP
persistence_timeout 600
real_server 10.1.0.20 21 {
weight 1
}
}
----------------------------------------------
And I have the following IPTABLES rules in place:
----------------------------------------------
/sbin/iptables -t mangle -A PREROUTING -p tcp -d 217.154.117.50/32 \
--dport 21 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING -p tcp -d 217.154.117.50/32 \
--dport 1024: -j MARK --set-mark 1
----------------------------------------------
If I connect from work (natted) with active-ftp I get:
----------------------------------------------
publicserver:~# ftp bluebarracuda.com
Connected to bluebarracuda.com.
220 ProFTPD 1.2.10 Server (gingerman) [10.1.0.20]
Name (bluebarracuda.com:root): testftp
331 Password required for testftp.
Password:
230 User testftp logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
425 Unable to build data connection: Connection timed out
----------------------------------------------
And with passive-ftp I get:
----------------------------------------------
publicserver:~# ftp bluebarracuda.com
Connected to bluebarracuda.com.
220 ProFTPD 1.2.10 Server (gingerman) [10.1.0.20]
Name (bluebarracuda.com:root): testftp
331 Password required for testftp.
Password:
230 User testftp logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,1,0,20,200,52).
ftp: connect: Connection timed out
----------------------------------------------
What's bizarre though is that if I connect from home (I'm using a cisco
SOHO router which probably has some magic in it) using active FTP, it works.
I've read that the module 'ip_vs_ftp' needs to be inserted into the
kernel, however when I do that, FTP fails for everything (including
behind my cisco)
I've no idea if it's relevant, but I'm running ProFTPd (as you can see
from the above transcript)
I don't care which FTP I get working, active or passive, but I need to
get one of them working, and get it working all the time (we've clients
that FTP to us) - it's an almost critical service for us)
If anyone has any ideas as to what to try/do next, I would love to hear
them, it's starting to drive me a little nuts :)
Many thanks in advance for any help that can be provided.
Jonathan.
|
