Re: [lvs-users] FTP problem

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] FTP problem
From:	Graeme Fowler <graeme@xxxxxxxxxxx>
Date:	Fri, 20 Feb 2009 17:58:40 +0000

On Fri, 2009-02-20 at 17:38 +0000, Keith Edmunds wrote:
> Well, I've read that too; however, you are implying that I've missed
> something. I apologise for missing it - could you give me a clue?

This might help:

20.3.2. Graeme Fowler's checklist for ftp

Graeme Fowler graeme (at) graemef (dot) net 23 Aug 2006 

      * Ensure the LVS FTP helper is loaded. 
      * Make sure that you define (or make a note of) the range of ports
        your FTP server uses for data connections (this varies from
        server to server). 
      * Ensure that you will accept traffic to those ports on your
        director. If the packets are rejected by netfilter/iptables on
        the director, the FTP helper never sees them so the connections
        will almost never work. 

That last bit is the killer here.

I have a sneaking suspicion that the interaction between your netfilter
(iptables) rules, the loaded nf_*_ftp modules and the ip_vs_ftp helper
is the cause of this problem.

When the data connection setup is underway, does the data connection SYN
back to the client originate from the VIP or from the DIP? If the
latter, then netfilter is running the show and the return SYN/ACK is
never handed off to the helper.

The entire connection, from the client's point of view, should involve
the RIP only and no other addresses. The fact that you're not even
getting a three-way-handshake to complete leads me to think that
netfilter is dropping the SYN/ACK because it doesn't believe the traffic
is ESTABLISHED,RELATED.

I haven't got a handy FTP box behind an LVS to play with at the moment
so I'm flying a bit blind, but if you could massively simplify - or even
switch off - iptables for a bit, I think the problem will either go away
or will become easier to resolve.

Graeme

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] FTP problem, Keith Edmunds Re: [lvs-users] FTP problem, Joseph Mack NA3T Re: [lvs-users] FTP problem, Keith Edmunds Re: [lvs-users] FTP problem, Joseph Mack NA3T Re: [lvs-users] FTP problem, Graeme Fowler <= Re: [lvs-users] FTP problem, Keith Edmunds

Previous by Date:	Re: [lvs-users] FTP problem, Joseph Mack NA3T
Next by Date:	Re: [lvs-users] FTP problem, Keith Edmunds
Previous by Thread:	Re: [lvs-users] FTP problem, Joseph Mack NA3T
Next by Thread:	Re: [lvs-users] FTP problem, Keith Edmunds
Indexes:	[Date] [Thread] [Top] [All Lists]