Vincent, In NAT mode, the ip_vs_ftp module is used to ensure that the client connects back via the load balancer rather than attempting to connect directly to the Real Server. Have you got the module loaded?
You only need the firewall rules if you are in DR/gate mode. On 25 March 2014 04:40, Vincent Li <vincent.mc...@gmail.com> wrote: > Hi, > > I am following http://www.centos.org/docs/4/html/rh-cs-en-4/s1-lvs-ftp.html > to set ftp virtual server, passive ftp not working , the active ftp > works fine: > > -----LVS config > > > -A -t 192.168.1.169:21 -s rr > -a -t 192.168.1.169:21 -r 192.168.3.2:21 -m > -a -t 192.168.1.169:21 -r 192.168.3.3:21 -m > > # ipvsadm -L > IP Virtual Server version 1.2.1 (size=4096) > Prot LocalAddress:Port Scheduler Flags > -> RemoteAddress:Port Forward Weight ActiveConn InActConn > TCP 192.168.1.169:ftp rr > -> 192.168.3.2:ftp Masq 1 0 0 > -> 192.168.3.3:ftp Masq 1 0 0 > > > iptables rules > > /sbin/iptables -t mangle -A PREROUTING -p tcp -d 192.168.1.169/32 > --dport 21 -j MARK --set-mark 21 > /sbin/iptables -t mangle -A PREROUTING -p tcp -d 192.168.1.169/32 > --dport 10000:20000 -j MARK --set-mark 21 > > -----real server vsftpd related config > > pasv_address=192.168.1.169 > pasv_min_port=10000 > pasv_max_port=20000 > > > tcpdump for passive ftp data connection shows : > > 21 0.420062 192.168.1.9 192.168.1.169 TCP 74 50641 > 11196 [SYN] Seq=0 > Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1491521 TSecr=0 WS=32 > > 25 3.425842 192.168.1.169 192.168.1.9 ICMP 102 Destination unreachable > (Host unreachable) > > Transmission Control Protocol, Src Port: 50641 (50641), Dst Port: > 11196 (11196), Seq: 4055858902 > > I extracted out the tcp part of the icmp host unreachable message > above, as you can see, it indicates that LVS seems has no > listener/virtual for the client ftp data connection '50641 > 11196 > [SYN]', I thought the iptable mangle rules should handle the passive > ftp data connection, it appears not. am I miss anything? > > I am running the latest Linux 3.14.0-rc7+, all the related > netfilter/ipvs ftp modules are loaded properly, netfilter/ipvs > connection tracking are enabled too. > > Regards, > > Vincent > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
