LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: ipchains filter rules for ftp-proxy - done

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ipchains filter rules for ftp-proxy - done
From: Alois Treindl <alois@xxxxxxxx>
Date: Thu, 21 Jun 2001 10:18:24 +0200
I think I got it, by thinking a bit more clearly and watching my
ipchains filter with more logging enabled.

For my setup of a not-loadbalanced ftp-proxy service on LVS-NAT,
no entry in ipvsadm is needed.
Everything is handled by ftp-proxy on the director.

I report it to the list because others may have the same problem,
to set up an ftp proxy on a LVS system.

Configuration details:

in ftp-proxy.conf the only lines uncommented are:

DestinationAddress 10.1.1.1
DestinationPort 21  
Listen          195.49.62.59
PassiveMinDataPort      41000
PassiveMaxDataPort      41999

in my ipchains ruleset I have:
# allow incoming ftp command connections on VIP
-A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 21 $L
# data connections in active mode
-A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 20 $L
# allow data connections in passive mode
-A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP}
${FTP_PORTS} $L   

where 
FTP_PORTS="41000:41999"
NPORTS="1024:65535"
ALL=0/0
VIP=195.49.62.59

Alois

---- setup -------------------

        |
        | eth1: real address $DEP, virtual address eth1:0 $VIP
        | DEP=195.49.62.58         VIP=195.49.62.59
+---------------------+
| LVS-NAT director    |  running kernel 2.2.19
| ipchains firewall   |
| ftp-proxy           |
+---------------------+
        | eth0: 10.1.1.254 hostname="w0"
        |
        |
     switch--------------- other real http servers w2, w3, w4, ...
        |
        | eth0: 10.1.1.1  hostname="w1"
+---------------------+
| http server         |  running kernel 2.4.5
| ftp server          |
----------------------+


<Prev in Thread] Current Thread [Next in Thread>