[lvs-users] cant get passive ftp working through nat for clustered ftp hosts.

[Julian Anastasov]

	Hello,

On Sun, 14 Jun 2015, jason at monsterjam.org wrote:

> hey folks, Ive read the howtows for a few days now and cant seem to get this to work.. Ive got a 
> centos box running lvs and 2 backend ftp servers running vsftpd. the backend servers are 
> set to use passive  ports 50000-60000
> my server running lvs, has 2 nics, one on the innernets and one private. the two ftp servers are on the 
> private network. the 2 ftp servers have 
> pasv_address=x.x.x.x  
> where x.x.x.x is the outside (internet facing) ip address of my lvs server.. 
> my lvs server is doing the following 
> export realip=(outside ip address of my server)
> ipvsadm -A -t $realip:21 -s wrr
> ipvsadm -a -t $realip:21 -r 10.1.6.11 -m       
> ipvsadm -a -t $realip:21 -r 10.1.6.12 -m       
> 
> 10.1.6.11=vsftp server 1
> 10.1.6.12=vsftp server 2
> 
> sooo from a host on the outside, I can connect to my lvs server's outside ip address on port 21
> and if Im using active mode ftp, I can list directories and see files and whatnot.. 
> If I use passive mode, it just hangs.. 

	Check if INPUT firewall rules allow the passive data
traffic. For example, such rules may help:

# Accept FTP DATA (related) and FTP CONTROL (established) traffic:
iptables -A INPUT -p tcp -d $VIP -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept FTP CONTROL:
iptables -A INPUT -p tcp -d $VIP --dport 21 -m state --state NEW -j ACCEPT

> but when I sniff the ftp connection on host1 (lvs server), I see the following:
> 20:21:41.928714 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671275663 ecr 0,nop,wscale 6], length 0
> 20:21:43.928811 IP myclienthost.org.44588 > mylvsserver.58374: Flags [S], seq 3921685969, win 14600, options [mss 1460,sackOK,TS val 3671277663 ecr 0,nop,wscale 6], length 0

	No ACK packets? May be SYNs are dropped by firewall?

Regards

--
Julian Anastasov <ja at ssi.bg>