On Fri, 2006-12-22 at 19:47 -0800, Joseph Mack NA3T wrote:
> On Fri, 22 Dec 2006, Robinson, Eric wrote:
>
> >> so how have clients been getting back their ftp-data packets till now?
> >
> > I configure the tunnel to allow FTP-DATA connections from the RIPs of
> > the FTP servers to the client's network.
>
> the RIPs then must be public IPs?
>
> > The clients establish the
> > control connections to the VIP of the load-balancer, but the data
> > connections come from the RealServers.
>
> if the client is connecting with the VIP, why is it
> accepting an ftp-data connect request from the RIP?
Apparently - I've noticed - ftp-clients don't care where the connection
originates from.
> >> do you have the port=20 option (forget syntax) when loading your ftp
> > helper?
> >
> > I'll check, but does it matter with active FTP? The HOWTO implies it
> > doesn't.
>
> I didn't get a straight answer from Julian on the matter
> last time I asked if it had changed. Worth a try.
from ip_vs_ftp.c:
/*
* Look at incoming ftp packets to catch the PASV/PORT command
* (outside-to-inside).
*
* The incoming packet having the PORT command should be something like
* "PORT xxx,xxx,xxx,xxx,ppp,ppp\n".
* xxx,xxx,xxx,xxx is the client address, ppp,ppp is the client port number.
* In this case, we create a connection entry using the client address and
* port, so that the active ftp data connection from the server can reach
* the client.
*/
So that would suggest (to me) that you do need the ip_vs_ftp helper
module, to do the src address translation in the active connection from
server to client. (Which is what is not happening for you.)
However it might also work if you do SNAT or masquerading on the
director for the real-servers.
> >> you have no iptables rules on the director/realservers?
> >
> > No, the firewalls are separate appliances. No packet filtering on the
> > load-balancers.
No ip_vs_ftp helper, and no MASQ/SNAT rules on the director?
Someone/somewhere has to rewrite the src address of the active
connection. If you have neither... You sure?
[I must admit I never got it to work reliably in our production
environment, sometimes it would work, sometimes it would break. I didn't
have the time to figure out exactly why and just switched from NAT to DR
(with persistence), which has been working fine.]
Regards,
Mark.
|