NAT FTP Clients and Linux-2.6 on Load-Balancer

Donald J Giuliano guido at operations.ocs.ou.edu
Wed Aug 31 17:27:25 BST 2005


Hmmm, after investigating, it appears that the LVS server is routing 
traffic to the wrong IP address for traffic coming from the ftp-data 
port of the real-server.  With the LBs running 2.4, this traffic is 
coming from the correct alias on the LB, but with the LBs running 2.6, 
the traffic is coming from the external IP address of the LB itself, 
and not the external alias the FTP traffic is directed to.  Thus the 
FTP client tries to connect to the ftp-data port on the LB, and of 
course bombs out with "connection refused".  Not sure how I missed 
this before, but I'm not sure how to fix it either.

--Don

On Tue, 2005-08-30 at 22:19 -0400, Roger Tsang wrote:
> Okay.  What does tcpdump on the client side say?  Look at where the
> packet was last seen.
> 
> Roger
> 
> On 8/30/05, Donald J Giuliano <guido at operations.ocs.ou.edu> wrote:
>         It seems as though it would have something to do with that,
>         but why
>         then does active FTP work with the load-balancers running
>         2.4.26?
>         The FTP clients behind a NAT (i.e., our users) work fine with
>         the
>         load-balancers running 2.4.26, but not with the ones running
>         2.6.12.  It's the same NAT on the client side either way.
>         
>         --Don
>         
>         On Tue, 2005-08-30 at 17:35 -0400, Roger Tsang wrote:
>         > Your NAT firewall is blocking active FTP. 
>         >
>         > Roger
>         >
>         >
>         > On 8/30/05, Donald J Giuliano <guido at operations.ocs.ou.edu>
>         wrote:
>         >         Actually, to clarify, it is only active FTP that
>         fails on the 
>         >         new
>         >         load-balancers.  Passive FTP works fine.  It should
>         also be
>         >         noted that
>         >         active FTP has no trouble whatsoever on the current
>         machines
>         >         running
>         >         2.4.26 .
>         >
>         >         --Don
>         >
>         >         On Tue, 2005-08-30 at 17:30 +0000, Donald J Giuliano
>         wrote: 
>         >         > Hi,
>         >         >
>         >         > I'm currently working to migrate two
>         linux-2.4/keepalived
>         >         IPVS
>         >         > load-balancers to new machine running
>         linux-2.6 /keepalived. 
>         >         > Everything works perfectly on the old setup, but
>         on the new
>         >         machines
>         >         > the load-balanced FTP fails when the client is
>         behind a NAT
>         >         > firewall.  I'm running the Antefacto ipvs-nfct
>         patch on both 
>         >         the 2.4.26
>         >         > and 2.6.12 configuration so that the LBs can also
>         function
>         >         as
>         >         > firewalls.  I have made no changes to the iptables
>         >         configuration, 
>         >         > other than removing some superfluous rules
>         filtering
>         >         "unclean" packets,
>         >         > which aren't supported in 2.6 anyway.  All the
>         same IPVS
>         >         kernel modules 
>         >         > are loaded on both machines.  The keepalived
>         configurations
>         >         are
>         >         > identical.  Any idea what would cause this
>         problem?
>         >         >
>         >
>         >         _______________________________________________ 
>         >         LinuxVirtualServer.org mailing list -
>         >         lvs-users at LinuxVirtualServer.org
>         >         Send requests to
>         lvs-users-request at LinuxVirtualServer.org
>         >         or go to
>         http://www.in-addr.de/mailman/listinfo/lvs-users
>         >
>         
>         _______________________________________________ 
>         LinuxVirtualServer.org mailing list -
>         lvs-users at LinuxVirtualServer.org
>         Send requests to lvs-users-request at LinuxVirtualServer.org
>         or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 



More information about the lvs-users mailing list