hey folks, Ive read the howtows for a few days now and cant seem to get this to
work.. Ive got a
centos box running lvs and 2 backend ftp servers running vsftpd. the backend
servers are
set to use passive ports 50000-60000
my server running lvs, has 2 nics, one on the innernets and one private. the
two ftp servers are on the
private network. the 2 ftp servers have
pasv_address=x.x.x.x
where x.x.x.x is the outside (internet facing) ip address of my lvs server..
my lvs server is doing the following
export realip=(outside ip address of my server)
ipvsadm -A -t $realip:21 -s wrr
ipvsadm -a -t $realip:21 -r 10.1.6.11 -m
ipvsadm -a -t $realip:21 -r 10.1.6.12 -m
10.1.6.11=vsftp server 1
10.1.6.12=vsftp server 2
sooo from a host on the outside, I can connect to my lvs server's outside ip
address on port 21
and if Im using active mode ftp, I can list directories and see files and
whatnot..
If I use passive mode, it just hangs..
on the lvs server, I have
[jason@host1 ~]$ lsmod | grep ftp
nf_nat_ftp 3507 0
nf_conntrack_ftp 12913 1 nf_nat_ftp
nf_nat 23316 3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat
ip_vs_ftp 3738 2
ip_vs 125694 7 ip_vs_ftp,ip_vs_wrr,ip_vs_wlc
nf_conntrack 80422 8
nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
but when I sniff the ftp connection on host1 (lvs server), I see the following:
20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq
3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr
0,nop,wscale 6], length 0
20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq
3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr
0,nop,wscale 6], length 0
which looks correct for the most part, but I seem to be misisng the "config"
that passes along the passive ftp connections
from the lvs server to the back end servers.
i tried the
iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport 21
-j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport
50000:60000 -j MARK --set-mark 21
this seems like it wouldnt work anyway, because its just setting marks on the
traffic, dont you need
some other config to DO something with the marked traffic?
regards,
Jason
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|