[Linux-cluster] iptables rules for LVS-DR cluster
John Garrity
jgarrity at qualcomm.com
Sat Apr 5 18:04:33 UTC 2008
Question: how did you set the scheduler to "n"?
I don't see a choice for "none" in Piranha and I tried manually editing /etc/sysconfig/ha/lvs.cf with no luck. Even when I commented out the scheduler field it seems to default to wlc.
Basically, I'm not sure that it's my iptables rules that are giving me a problem. Maybe it's what Christopher mentions below? How would I remove port 20 from LVS?
I tried using a firewall mark of 20 and have Piranha configured to use 21 as the application port. I can ftp to the real servers using their real IPs but ftps to the VIP fail with the error on the ftp client "An existing connection was forcibly closed by the remote host."
Persistence is set to 20
Here are the iptables rules I'm using
# service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 VIP tcp dpts:10000:20000 MARK set 0x14
2 MARK tcp -- 0.0.0.0/0 VIP tcp dpt:20 MARK set 0x14
3 MARK tcp -- 0.0.0.0/0 VIP tcp dpt:21 MARK set 0x14
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0 tcp spts:1:65535 dpts:1:65535
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
At 05:20 PM 4/4/2008, Johannes Russek wrote:
>we use this together with firewall mark rule in lvs-DR (piranha) and scheduler "rr" and persistent = 20:
>
>-A PREROUTING -d $VIP-i eth0 -p tcp -m tcp --dport 10000:20000 -j MARK --set-mark 0x14
>-A PREROUTING -d $VIP -i eth0 -p tcp -m tcp --dport 20 -j MARK --set-mark 0x14
>-A PREROUTING -d $VIP -i eth0 -p tcp -m tcp --dport 21 -j MARK --set-mark 0x14
>
>also vsftpd.conf is configured with
>
>pasv_min_port=10000
>pasv_max_port=20000
>
>hope this helps?
>regards,
>johannes
>
>p.s.: of course the main firewall has to open the appropiate ports as well
>
>Christopher Hawkins schrieb:
>>Never had to load balance it myself, but have heard of FTP over LVS issues
>>due to lack of persistence (make sure it's on) and due to port 21 and 20
>>getting sent to different servers. The solution was to remove port 20 from
>>LVS. With LVS NAT there is a special FTP module you can load, but it should
>>not be required in LVS DR. Or are you sure the issue is iptables?
>>
>>Also I would suggest the LVS mailing list if someone here can't solve this
>>quickly. ;-)
>>-----Original Message-----
>>From: linux-cluster-bounces at redhat.com
>>[mailto:linux-cluster-bounces at redhat.com] On Behalf Of John Garrity
>>Sent: Friday, April 04, 2008 3:03 PM
>>To: linux clustering
>>Subject: [Linux-cluster] iptables rules for LVS-DR cluster
>>
>>I'm trying to get ftp working in a LVS DR cluster. I think it's the iptables
>>rules that might be giving me a problem. I have http services working well.
>>Can someone who has ftp working share their ip tables rules? I'm new at this
>>so please go easy on me. Thanks!
>>--
>>Linux-cluster mailing list
>>Linux-cluster at redhat.com
>>https://www.redhat.com/mailman/listinfo/linux-cluster
>>
>>--
>>Linux-cluster mailing list
>>Linux-cluster at redhat.com
>>https://www.redhat.com/mailman/listinfo/linux-cluster
>>
>
>--
>Linux-cluster mailing list
>Linux-cluster at redhat.com
>https://www.redhat.com/mailman/listinfo/linux-cluster
More information about the Linux-cluster
mailing list