Hi, I am following http://www.centos.org/docs/4/html/rh-cs-en-4/s1-lvs-ftp.html to set ftp virtual server, passive ftp not working , the active ftp works fine:
-----LVS config -A -t 192.168.1.169:21 -s rr -a -t 192.168.1.169:21 -r 192.168.3.2:21 -m -a -t 192.168.1.169:21 -r 192.168.3.3:21 -m # ipvsadm -L IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.1.169:ftp rr -> 192.168.3.2:ftp Masq 1 0 0 -> 192.168.3.3:ftp Masq 1 0 0 iptables rules /sbin/iptables -t mangle -A PREROUTING -p tcp -d 192.168.1.169/32 --dport 21 -j MARK --set-mark 21 /sbin/iptables -t mangle -A PREROUTING -p tcp -d 192.168.1.169/32 --dport 10000:20000 -j MARK --set-mark 21 -----real server vsftpd related config pasv_address=192.168.1.169 pasv_min_port=10000 pasv_max_port=20000 tcpdump for passive ftp data connection shows : 21 0.420062 192.168.1.9 192.168.1.169 TCP 74 50641 > 11196 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1491521 TSecr=0 WS=32 25 3.425842 192.168.1.169 192.168.1.9 ICMP 102 Destination unreachable (Host unreachable) Transmission Control Protocol, Src Port: 50641 (50641), Dst Port: 11196 (11196), Seq: 4055858902 I extracted out the tcp part of the icmp host unreachable message above, as you can see, it indicates that LVS seems has no listener/virtual for the client ftp data connection '50641 > 11196 [SYN]', I thought the iptable mangle rules should handle the passive ftp data connection, it appears not. am I miss anything? I am running the latest Linux 3.14.0-rc7+, all the related netfilter/ipvs ftp modules are loaded properly, netfilter/ipvs connection tracking are enabled too. Regards, Vincent _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
