[lvs-users] cant get passive ftp working through nat for clustered ftp hosts.

jason at monsterjam.org jason at monsterjam.org
Mon Jun 15 02:01:06 BST 2015 

hey folks, Ive read the howtows for a few days now and cant seem to get this to work.. Ive got a 
centos box running lvs and 2 backend ftp servers running vsftpd. the backend servers are 
set to use passive  ports 50000-60000
my server running lvs, has 2 nics, one on the innernets and one private. the two ftp servers are on the 
private network. the 2 ftp servers have 
pasv_address=x.x.x.x  
where x.x.x.x is the outside (internet facing) ip address of my lvs server.. 
my lvs server is doing the following 
export realip=(outside ip address of my server)
ipvsadm -A -t $realip:21 -s wrr
ipvsadm -a -t $realip:21 -r 10.1.6.11 -m       
ipvsadm -a -t $realip:21 -r 10.1.6.12 -m       

10.1.6.11=vsftp server 1
10.1.6.12=vsftp server 2

sooo from a host on the outside, I can connect to my lvs server's outside ip address on port 21
and if Im using active mode ftp, I can list directories and see files and whatnot.. 
If I use passive mode, it just hangs.. 

on the lvs server, I have 
[jason at host1 ~]$ lsmod | grep ftp
nf_nat_ftp              3507  0 
nf_conntrack_ftp       12913  1 nf_nat_ftp
nf_nat                 23316  3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat
ip_vs_ftp               3738  2 
ip_vs                 125694  7 ip_vs_ftp,ip_vs_wrr,ip_vs_wlc
nf_conntrack           80422  8 nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state


but when I sniff the ftp connection on host1 (lvs server), I see the following:
20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr 0,nop,wscale 6], length 0
20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr 0,nop,wscale 6], length 0

which looks correct for the most part, but I seem to be misisng the "config" that passes along the passive ftp connections 
from the lvs server to the back end servers.

i tried the 
iptables -t mangle -A PREROUTING -p tcp  -d lvsoutsideaddress/32   --dport 21 -j MARK --set-mark 21
iptables -t mangle -A PREROUTING -p tcp  -d lvsoutsideaddress/32  --dport 50000:60000 -j MARK --set-mark 21
this seems like it wouldnt work anyway, because its just setting marks on the traffic, dont you need 
some other config to DO something with the marked traffic? 


regards,
Jason

More information about the lvs-users mailing list