|
yes, I need to get passive ftp working as well so I dont have to explain
the difference between active and passive to all our customers.
regards,
Jason
On 06/14/2015 09:01 PM, jason@xxxxxxxxxxxxxx wrote:
> hey folks, Ive read the howtows for a few days now and cant seem to get this
> to work.. Ive got a
> centos box running lvs and 2 backend ftp servers running vsftpd. the backend
> servers are
> set to use passive ports 50000-60000
> my server running lvs, has 2 nics, one on the innernets and one private. the
> two ftp servers are on the
> private network. the 2 ftp servers have
> pasv_address=x.x.x.x
> where x.x.x.x is the outside (internet facing) ip address of my lvs server..
> my lvs server is doing the following
> export realip=(outside ip address of my server)
> ipvsadm -A -t $realip:21 -s wrr
> ipvsadm -a -t $realip:21 -r 10.1.6.11 -m
> ipvsadm -a -t $realip:21 -r 10.1.6.12 -m
>
> 10.1.6.11=vsftp server 1
> 10.1.6.12=vsftp server 2
>
> sooo from a host on the outside, I can connect to my lvs server's outside ip
> address on port 21
> and if Im using active mode ftp, I can list directories and see files and
> whatnot..
> If I use passive mode, it just hangs..
>
> on the lvs server, I have
> [jason@host1 ~]$ lsmod | grep ftp
> nf_nat_ftp 3507 0
> nf_conntrack_ftp 12913 1 nf_nat_ftp
> nf_nat 23316 3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat
> ip_vs_ftp 3738 2
> ip_vs 125694 7 ip_vs_ftp,ip_vs_wrr,ip_vs_wlc
> nf_conntrack 80422 8
> nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>
>
> but when I sniff the ftp connection on host1 (lvs server), I see the
> following:
> 20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq
> 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr
> 0,nop,wscale 6], length 0
> 20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq
> 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr
> 0,nop,wscale 6], length 0
>
> which looks correct for the most part, but I seem to be misisng the "config"
> that passes along the passive ftp connections
> from the lvs server to the back end servers.
>
> i tried the
> iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport 21
> -j MARK --set-mark 21
> iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport
> 50000:60000 -j MARK --set-mark 21
> this seems like it wouldnt work anyway, because its just setting marks on the
> traffic, dont you need
> some other config to DO something with the marked traffic?
>
>
> regards,
> Jason
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
