LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] cant get passive ftp working through nat for clustered f

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [lvs-users] cant get passive ftp working through nat for clustered ftp hosts.
Cc: jason@xxxxxxxxxxxxxx
From: support@xxxxxxxxxx
Date: Sun, 28 Jun 2015 12:46:06 +0200

> > hey folks, 
 
 Hello Jason,
  
 > > export realip=(outside ip address of my server)
 > > ipvsadm -A -t $realip:21 -s wrr
 > > ipvsadm -a -t $realip:21 -r 10.1.6.11 -m       
 > > ipvsadm -a -t $realip:21 -r 10.1.6.12 -m       
 > > 
 > > 10.1.6.11=vsftp server 1
 > > 10.1.6.12=vsftp server 2
  
That setup reads as an plan for LVS-NAT ... but with incompleted LVS-NAT rules.
You need to cover ALL configured vsftpd server PORTS on  the LVS balancer nodes 
- otherwise you'll never see an SYNC nor an ACK :)
  
with  LVS-DR the vsftpd can give direct answers , on LVS-NAT you have to take 
care of the configured redirected ports very carefully.
  
You probably also need the ip_vs_ftp kernel modules..
  
  # lsmod | grep ftp
  ip_vs_ftp 6731 0
  nf_nat 16229 1 ip_vs_ftp
  ip_vs 157311 6 ip_vs_ftp,ip_vs_rr 
  
  
  so it shuold be i.e : 
 >   
 > > > ipvsadm -A -t $realip:20-21 -s wrr
 > > > ipvsadm -a -t $realip:20-21 -r 10.1.6.11 -m       
 > > > ipvsadm -a -t $realip:20-21 -r 10.1.6.12 -m  
 > 
 > > > ipvsadm -A -t $realip:50000-60000 -s wrr
 > > > ipvsadm -a -t $realip:50000-60000 -r 10.1.6.11 -m       
 > > > ipvsadm -a -t $realip:50000-60000 -r 10.1.6.12 -m  
 > 
 
  
 if still issuies , then  install wireshark on lvs , that will extactly tell 
you what been happen on your LVS Nodes network traffiik.
  
  
  For passv vsftpd you must configure like this : 
http://splatdot.com/running-vsftpd-behind-a-nat-firewall/
  and let the ports 20/21 + passvive ftp ports traffic pass your lvs-nat  setup.
  
  if you want passiv sftpd you need as well some other standard ports for that 
, i.e 115 .
  
 > >    Check if INPUT firewall rules allow the passive data
 > > traffic. For example, such rules may help:
 > > 
 > > # Accept FTP DATA (related) and FTP CONTROL (established) traffic:
 > > iptables -A INPUT -p tcp -d $VIP -m state --state RELATED,ESTABLISHED -j 
 > > ACCEPT
 > > # Accept FTP CONTROL:
 > > iptables -A INPUT -p tcp -d $VIP --dport 21 -m state --state NEW -j ACCEPT
  
  
  
  I whuold suggest to use i.e keepalived to manage your LVS-NAT FTP port Rules 
and the IP failover .
   ..take care of port & NAT routing as Junian suggested.
  - 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Cluster_Administration/s1-lvs-ftp.html
  - http://keepalived.org/LVS-NAT-Keepalived-HOWTO.html
  
  
  Hope this helps.
  
  
--
Mit freundlichen Grüßen / Best Regards
  
 Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de - 1995 - 2015 
- 20 Jahre Linux/Unix Support.
  
 Legal Notice: This transmittal and/or attachments may be privileged or 
confidential. It is intended solely for the addressee named above. Any review, 
dissemination, or copying is strictly prohibited. If you received this 
transmittal in error, please notify us immediately by reply and immediately 
delete this message and all

Attachment: addressbook.vcf
Description: Vcard

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
<Prev in Thread] Current Thread [Next in Thread>