[lvs-users] cant get passive ftp working through nat for clustered ftp hosts.

support at remsnet.de support at remsnet.de
Sun Jun 28 11:46:06 BST 2015

> > hey folks, 
 Hello Jason,
 > > export realip=(outside ip address of my server)
 > > ipvsadm -A -t $realip:21 -s wrr
 > > ipvsadm -a -t $realip:21 -r -m       
 > > ipvsadm -a -t $realip:21 -r -m       
 > > 
 > > server 1
 > > server 2
That setup reads as an plan for LVS-NAT ... but with incompleted LVS-NAT rules.
You need to cover ALL configured vsftpd server PORTS on  the LVS balancer nodes - otherwise you'll never see an SYNC nor an ACK :)
with  LVS-DR the vsftpd can give direct answers , on LVS-NAT you have to take care of the configured redirected ports very carefully.
You probably also need the ip_vs_ftp kernel modules..
  # lsmod | grep ftp
  ip_vs_ftp 6731 0
  nf_nat 16229 1 ip_vs_ftp
  ip_vs 157311 6 ip_vs_ftp,ip_vs_rr 
  so it shuold be i.e : 
 > > > ipvsadm -A -t $realip:20-21 -s wrr
 > > > ipvsadm -a -t $realip:20-21 -r -m       
 > > > ipvsadm -a -t $realip:20-21 -r -m  
 > > > ipvsadm -A -t $realip:50000-60000 -s wrr
 > > > ipvsadm -a -t $realip:50000-60000 -r -m       
 > > > ipvsadm -a -t $realip:50000-60000 -r -m  
 if still issuies , then  install wireshark on lvs , that will extactly tell you what been happen on your LVS Nodes network traffiik.
  For passv vsftpd you must configure like this : http://splatdot.com/running-vsftpd-behind-a-nat-firewall/
  and let the ports 20/21 + passvive ftp ports traffic pass your lvs-nat  setup.
  if you want passiv sftpd you need as well some other standard ports for that , i.e 115 .
 > > 	Check if INPUT firewall rules allow the passive data
 > > traffic. For example, such rules may help:
 > > 
 > > # Accept FTP DATA (related) and FTP CONTROL (established) traffic:
 > > iptables -A INPUT -p tcp -d $VIP -m state --state RELATED,ESTABLISHED -j ACCEPT
 > > # Accept FTP CONTROL:
 > > iptables -A INPUT -p tcp -d $VIP --dport 21 -m state --state NEW -j ACCEPT
  I whuold suggest to use i.e keepalived to manage your LVS-NAT FTP port Rules and the IP failover .
   ..take care of port & NAT routing as Junian suggested.
  - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Cluster_Administration/s1-lvs-ftp.html
  - http://keepalived.org/LVS-NAT-Keepalived-HOWTO.html
  Hope this helps.
Mit freundlichen Grüßen / Best Regards
 Horst Venzke ; PGP NET : 1024G/082F2E6D ; http://www.remsnet.de - 1995 - 2015 - 20 Jahre Linux/Unix Support.
 Legal Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. Any review, dissemination, or copying is strictly prohibited. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: addressbook.vcf
Type: text/x-vcard
Size: 1086 bytes
Desc: not available
Url : http://lists.graemef.net/pipermail/lvs-users/attachments/20150628/37def133/attachment.vcf 

More information about the lvs-users mailing list