yes, I need to get passive ftp working as well so I dont have to explain the difference between active and passive to all our customers.
regards, Jason On 06/14/2015 09:01 PM, ja...@monsterjam.org wrote: > hey folks, Ive read the howtows for a few days now and cant seem to get this > to work.. Ive got a > centos box running lvs and 2 backend ftp servers running vsftpd. the backend > servers are > set to use passive ports 50000-60000 > my server running lvs, has 2 nics, one on the innernets and one private. the > two ftp servers are on the > private network. the 2 ftp servers have > pasv_address=x.x.x.x > where x.x.x.x is the outside (internet facing) ip address of my lvs server.. > my lvs server is doing the following > export realip=(outside ip address of my server) > ipvsadm -A -t $realip:21 -s wrr > ipvsadm -a -t $realip:21 -r 10.1.6.11 -m > ipvsadm -a -t $realip:21 -r 10.1.6.12 -m > > 10.1.6.11=vsftp server 1 > 10.1.6.12=vsftp server 2 > > sooo from a host on the outside, I can connect to my lvs server's outside ip > address on port 21 > and if Im using active mode ftp, I can list directories and see files and > whatnot.. > If I use passive mode, it just hangs.. > > on the lvs server, I have > [jason@host1 ~]$ lsmod | grep ftp > nf_nat_ftp 3507 0 > nf_conntrack_ftp 12913 1 nf_nat_ftp > nf_nat 23316 3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat > ip_vs_ftp 3738 2 > ip_vs 125694 7 ip_vs_ftp,ip_vs_wrr,ip_vs_wlc > nf_conntrack 80422 8 > nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state > > > but when I sniff the ftp connection on host1 (lvs server), I see the > following: > 20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq > 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr > 0,nop,wscale 6], length 0 > 20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq > 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr > 0,nop,wscale 6], length 0 > > which looks correct for the most part, but I seem to be misisng the "config" > that passes along the passive ftp connections > from the lvs server to the back end servers. > > i tried the > iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport 21 > -j MARK --set-mark 21 > iptables -t mangle -A PREROUTING -p tcp -d lvsoutsideaddress/32 --dport > 50000:60000 -j MARK --set-mark 21 > this seems like it wouldnt work anyway, because its just setting marks on the > traffic, dont you need > some other config to DO something with the marked traffic? > > > regards, > Jason > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
