[lvs-users] LVS DR passive FTP Problems

To:	"'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	[lvs-users] LVS DR passive FTP Problems
From:	"Dan Brown" <danb@xxxxxx>
Date:	Tue, 28 Aug 2007 10:43:14 -0600

I just recently moved my setup from a Streamlined High Availability and Load
Balancing (with only two servers) to a High Capacity High Availability and
Load Balancing with two directors, two servers (soon to be eight) and I have
to say that setting up the two separate directors was infinitely easier to
get going than setting up two director/real servers.  Lots of little
heartbeat quirks in the streamlined setup disappeared when the directors are
separate.  (or maybe I just missed a step or two the first time!)

Anyways, the problem of moving the directors off of the servers themselves
appears to be that it broke FTP.  I'm starting to think that FTP always was
broken, but I'm not sure if it's my iptables rules or my lvs config which is
causing the problem.

Originally it was setup as:

# ldirectord.cf
# IP Address 216.94.150.36
virtual=216.94.150.36:21
        real=216.94.150.7:21 gate
        real=216.94.150.8:21 gate
        persistent=3600
        service=ftp
        request=".lvs.msg"
        receive="LVS OK"
        login="myuser"
        passwd="mypass"
        scheduler=rr
        protocol=tcp
        checktype=negotiate

# firewall rules
# checks from directors/servers
-A INPUT -i $EXT_INT -s 216.94.150.7 -p tcp --dport 20:21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i $EXT_INT -s 216.94.150.8 -p tcp --dport 20:21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
# allow only to ftp host
-A INPUT -i $EXT_INT -d ! $FTP_IP -p tcp --dport ftp -m state --state NEW -j
REJECT
-A INPUT -i $EXT_INT -d $FTP_IP -p tcp -m state --state
NEW,ESTABLISHED,RELATED --dport 20:21 -j ACCEPT
-A INPUT -i $EXT_INT -d $FTP_IP -p tcp -m state --state
NEW,ESTABLISHED,RELATED --dport 10020:10030 -j ACCEPT

The only problem I had with the above iptables/LVS setup was that FTP was
only available to the machine which was the director at the time.  It worked
well enough and the filesystems were synched so files were updated and I
just left it although it was obviously not quite the way it was supposed to
be working.

I changed the first two iptables rules (below) to reflect the new separate
directors, and loaded ip_conntrack and ip_conntrack_ftp on the servers.
Both servers now show up with ipvsadm and FTP works for some incoming
clients, but not all, and is very slow.  The ftp clients which are having
problems I am figuring are timing out.  

####################################### FTP
#########################################
-A INPUT -i $EXT_INT -s 216.94.150.8 -p tcp --dport 20:21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i $EXT_INT -s 216.94.150.7 -p tcp --dport 20:21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT


What am I doing wrong?

___________________________________________________
Dan Brown
danb@xxxxxx

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] LVS DR passive FTP Problems, Dan Brown <= Re: [lvs-users] LVS DR passive FTP Problems, Joseph Mack NA3T Re: [lvs-users] LVS DR passive FTP Problems, Graeme Fowler Re: [lvs-users] LVS DR passive FTP Problems, Dan Brown Re: [lvs-users] LVS DR passive FTP Problems, Joseph Mack NA3T Re: [lvs-users] LVS DR passive FTP Problems, Dan Brown

Previous by Date:	Re: [lvs-users] ldirectord can monitor realservers's cpu?, Joseph Mack NA3T
Next by Date:	[lvs-users] Problem with LVS-TUN (not listening), Ducassou Laurent-Pierre
Previous by Thread:	[lvs-users] ldirectord can monitor realservers's cpu?, wlx
Next by Thread:	Re: [lvs-users] LVS DR passive FTP Problems, Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]