On Tue, 6 Dec 2005, Rob Ruth wrote:
> I am having issues getting passive ftp up and running and have read
> through the archives but have yet to find a fix. My current setup is as
> follows:
>
> lvs public ip - 172.16.123.24
> lvs private ip - 10.0.0.252
> virtual ip - 172.16.123.25
> real server - 10.0.0.95
>
> I have narrowed down my issue to outbound nat. When the server connects
> back to the client it is coming from the lvs public ip (172.16.123.24)
That's active ftp. Do you have the ip_vs_ftp module loaded (or compiled
in)? That should do the trick.
The only time I've had this problem was with vsftpd when configured to
initiate the connection from an unpriv port instead of the normal ftp-data
port.
I'm (trying to) create a patch that will allow ip_vs to work in this case
too.
> not the virtual ip (172.16.123.25). I've been playing around w/
> postrouting rules in iptables but can't seem to get it working. Any
> suggestions on a fix?
Hmmm... I was able to fix it like that. Something like:
iptables -t nat -[AI] POSTROUTING -s RIP -o PUB_INTF -j SNAT --to-source
VIP
Make sure the rule is before any general SNAT/MASQUERADE rule...
Regards,
Mark
|