[lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5

Julian Anastasov ja at ssi.bg
Mon Dec 5 08:46:08 GMT 2016


	Hello,

On Fri, 2 Dec 2016, Mischa Verheul wrote:

> Hello,
> 
> I'm trying to set up an IPVS NAT loadbalance solution with failover through
> keepalived and sync through "ipvsadm --start-daemon" on CentOS 7.
> Protocols such as HTTP work as expected, but FTP in passive mode isn't
> working for the FTP-data connection. It stops after issueing a list or get
> command.
> 
> After I couldn't find out what was possibly wrong with my configuration
> after following documentation, I set up two basic IPVS setups for
> trial&error:
> Client        ->        IPVSmachine        ->        FTPserver
> 192.168.2.6        2.100/157.254            192.168.157.10/GW
> 192.168.157.254
> 
> CentOS 5: uname -r 2.6.18-398.el5
> CentOS 7: uname -r 3.10.0-327.36.3.el7.x86_64
> 
> Configuration on both IPVS machines is identical:
> ipvsadm -A -t 192.168.2.100:21 -s rr
> ipvsadm -a -t 192.168.2.100:21 -r 192.168.157.10:21 -m
> net.ipv4.ip_forward=1
> modprobe ip_vs_ftp
> no iptables rules
> 
> [root at cent5 ~]# lsmod | grep -i ftp
> Module                  Size  Used by
> ip_vs_ftp              39109  1
> ip_vs                 122241  5 ip_vs_ftp,ip_vs_rr
> 
> 
> [root at cent7 ~]# lsmod | grep -i ftp
> Module                  Size  Used by
> ip_vs_ftp              13079  0
> nf_nat                 26146  1 ip_vs_ftp
> ip_vs                 140944  5 ip_vs_rr,ip_vs_ftp

	For the new kernels more modules are needed:

# 2.6.22+
modprobe nf_conntrack_ftp
modprobe nf_nat_ftp

# For ip_vs_ftp (NAT mode) to properly adjust TCP SEQ numbers:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
# or
echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal

# 2.6.36+, ip_vs_ftp (NAT mode) to properly adjust TCP SEQ numbers:
modprobe iptables_nat

	You can find more info (a bit outdated, up to 2.6.36) in
HOWTO.txt here:

http://ja.ssi.bg/nfct/

	i.e. you can check the example with iptables rules
in case you have some filtering applied.

Regards

--
Julian Anastasov <ja at ssi.bg>



More information about the lvs-users mailing list