hey folks, Ive read the howtows for a few days now and cant seem to get this to work.. Ive got a centos box running lvs and 2 backend ftp servers running vsftpd. the backend servers are set to use passive ports 50000-60000 my server running lvs, has 2 nics, one on the innernets and one private. the two ftp servers are on the private network. the 2 ftp servers have pasv_address=x.x.x.x where x.x.x.x is the outside (internet facing) ip address of my lvs server.. my lvs server is doing the following export realip=(outside ip address of my server) ipvsadm -A -t $realip:21 -s wrr ipvsadm -a -t $realip:21 -r 10.1.6.11 -m ipvsadm -a -t $realip:21 -r 10.1.6.12 -m
10.1.6.11=vsftp server 1 10.1.6.12=vsftp server 2 sooo from a host on the outside, I can connect to my lvs server's outside ip address on port 21 and if Im using active mode ftp, I can list directories and see files and whatnot.. If I use passive mode, it just hangs.. on the lvs server, I have [jason@host1 ~]$ lsmod | grep ftp nf_nat_ftp 3507 0 nf_conntrack_ftp 12913 1 nf_nat_ftp nf_nat 23316 3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat ip_vs_ftp 3738 2 ip_vs 125694 7 ip_vs_ftp,ip_vs_wrr,ip_vs_wlc nf_conntrack 80422 8 nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state but when I sniff the ftp connection on host1 (lvs server), I see the following: 20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr 0,nop,wscale 6], length 0 20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr 0,nop,wscale 6], length 0 which looks correct for the most part, but I seem to be misisng the "config" that passes along the passive ftp connections from the lvs server to the back end servers. i tried the iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport 21 -j MARK --set-mark 21 iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport 50000:60000 -j MARK --set-mark 21 this seems like it wouldnt work anyway, because its just setting marks on the traffic, dont you need some other config to DO something with the marked traffic? regards, Jason _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
