Re: outbound nat problem

[Rob Ruth <rruth@xxxxxxxxxxx>]

When I load the ip_vs_ftp it causes additional/different problems.

Without ip_vs_ftp I get the following when I do a directory listing on 
the ftp server:
ftp> ls
227 Entering Passive Mode (198,X,X,X,217,208)  <-- my  public ip which 
it nat'd on the firewall back to the vip on lvs
ftp: connect: Connection refused

When I load ip_vs_ftp I get the following:

ftp> ls
227 Entering Passive Mode (172,16,123,25,220,5). <-- internal non-public 
vip 
long stall and eventual timeout...
I'm using proftpd which is setup to masquerade the public IP but as soon 
as I load ip_vs_ftp it seems to take over.

Mark de Vries wrote:

> On Tue, 6 Dec 2005, Rob Ruth wrote:
>
>  
>
> > I am having issues getting passive ftp up and running and have read
> > through the archives but have yet to find a fix. My current setup is as
> > follows:
> >
> > lvs public ip - 172.16.123.24
> > lvs private ip - 10.0.0.252
> > virtual ip  - 172.16.123.25
> > real server - 10.0.0.95
> >
> > I have narrowed down my issue to outbound nat. When the server connects
> > back to the client it is coming from the lvs public ip (172.16.123.24)
> >    
> That's active ftp. Do you have the ip_vs_ftp module loaded (or compiled
> in)? That should do the trick.
>
> The only time I've had this problem was with vsftpd when configured to
> initiate the connection from an unpriv port instead of the normal ftp-data
> port.
>
> I'm (trying to) create a patch that will allow ip_vs to work in this case
> too.
>
>  
>
> > not the virtual ip (172.16.123.25). I've been playing around w/
> > postrouting rules in iptables but can't seem to get it working. Any
> > suggestions on a fix?
> >    
> Hmmm... I was able to fix it like that. Something like:
>
> iptables -t nat -[AI] POSTROUTING -s RIP -o PUB_INTF -j SNAT --to-source
> VIP
>
> Make sure the rule is before any general SNAT/MASQUERADE rule...
>
> Regards,
> Mark
>
>