LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] cant get passive ftp working through nat for clustered ftp h

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] cant get passive ftp working through nat for clustered ftp hosts.
From: jason@xxxxxxxxxxxxxx
Date: Sun, 14 Jun 2015 21:01:06 -0400
hey folks, Ive read the howtows for a few days now and cant seem to get this to 
work.. Ive got a 
centos box running lvs and 2 backend ftp servers running vsftpd. the backend 
servers are 
set to use passive  ports 50000-60000
my server running lvs, has 2 nics, one on the innernets and one private. the 
two ftp servers are on the 
private network. the 2 ftp servers have 
pasv_address=x.x.x.x  
where x.x.x.x is the outside (internet facing) ip address of my lvs server.. 
my lvs server is doing the following 
export realip=(outside ip address of my server)
ipvsadm -A -t $realip:21 -s wrr
ipvsadm -a -t $realip:21 -r 10.1.6.11 -m       
ipvsadm -a -t $realip:21 -r 10.1.6.12 -m       

10.1.6.11=vsftp server 1
10.1.6.12=vsftp server 2

sooo from a host on the outside, I can connect to my lvs server's outside ip 
address on port 21
and if Im using active mode ftp, I can list directories and see files and 
whatnot.. 
If I use passive mode, it just hangs.. 

on the lvs server, I have 
[jason@host1 ~]$ lsmod | grep ftp
nf_nat_ftp              3507  0 
nf_conntrack_ftp       12913  1 nf_nat_ftp
nf_nat                 23316  3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat
ip_vs_ftp               3738  2 
ip_vs                 125694  7 ip_vs_ftp,ip_vs_wrr,ip_vs_wlc
nf_conntrack           80422  8 
nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state


but when I sniff the ftp connection on host1 (lvs server), I see the following:
20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 
3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr 
0,nop,wscale 6], length 0
20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 
3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr 
0,nop,wscale 6], length 0

which looks correct for the most part, but I seem to be misisng the "config" 
that passes along the passive ftp connections 
from the lvs server to the back end servers.

i tried the 
iptables -t mangle -A PREROUTING -p tcp  -d lvsoutsideaddress/32   --dport 21 
-j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp  -d lvsoutsideaddress/32  --dport 
50000:60000 -j MARK --set-mark 21
this seems like it wouldnt work anyway, because its just setting marks on the 
traffic, dont you need 
some other config to DO something with the marked traffic? 


regards,
Jason


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>