[lvs-users] passive ftp configuration issue

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	[lvs-users] passive ftp configuration issue
From:	Vincent Li <vincent.mc.li@xxxxxxxxx>
Date:	Mon, 24 Mar 2014 21:40:57 -0700

Hi,

I am following http://www.centos.org/docs/4/html/rh-cs-en-4/s1-lvs-ftp.html
to set ftp virtual server,  passive ftp not working , the active ftp
works fine:

-----LVS config


-A -t 192.168.1.169:21 -s rr
-a -t 192.168.1.169:21 -r 192.168.3.2:21 -m
-a -t 192.168.1.169:21 -r 192.168.3.3:21 -m

# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.169:ftp rr
  -> 192.168.3.2:ftp              Masq    1      0          0
  -> 192.168.3.3:ftp              Masq    1      0          0


iptables rules

/sbin/iptables -t mangle -A PREROUTING -p tcp -d 192.168.1.169/32
--dport 21 -j MARK --set-mark 21
/sbin/iptables -t mangle -A PREROUTING -p tcp -d 192.168.1.169/32
--dport 10000:20000 -j MARK --set-mark 21

-----real server vsftpd related config

pasv_address=192.168.1.169
pasv_min_port=10000
pasv_max_port=20000


tcpdump for passive ftp data connection shows :

21 0.420062 192.168.1.9 192.168.1.169 TCP 74 50641 > 11196 [SYN] Seq=0
Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1491521 TSecr=0 WS=32

25 3.425842 192.168.1.169 192.168.1.9 ICMP 102 Destination unreachable
(Host unreachable)

Transmission Control Protocol, Src Port: 50641 (50641), Dst Port:
11196 (11196), Seq: 4055858902

I extracted out the tcp part of the icmp host unreachable message
above, as you can see, it indicates that LVS seems has no
listener/virtual for the client ftp data connection '50641 > 11196
[SYN]',  I thought the iptable mangle rules should  handle the passive
ftp data connection, it appears not. am I miss anything?

I am running the latest Linux 3.14.0-rc7+, all the related
netfilter/ipvs ftp modules are loaded properly, netfilter/ipvs
connection tracking are enabled too.

Regards,

Vincent

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] passive ftp configuration issue, Vincent Li <= Re: [lvs-users] passive ftp configuration issue, Malcolm Turnbull Re: [lvs-users] passive ftp configuration issue, Vincent Li Re: [lvs-users] passive ftp configuration issue, Vincent Li

Previous by Date:	Re: [lvs-users] LVS-DR stuck in SYN packets?, Tiago
Next by Date:	Re: [lvs-users] passive ftp configuration issue, Malcolm Turnbull
Previous by Thread:	[lvs-users] LVS-DR stuck in SYN packets?, Tiago
Next by Thread:	Re: [lvs-users] passive ftp configuration issue, Malcolm Turnbull
Indexes:	[Date] [Thread] [Top] [All Lists]