Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentLINUX VIRTUAL SERVER 4.7 - ADMINISTRATION
31323334353637383940
determines how the server responds and on what ports transactions will occur.
The two types of data connections are:
Active Connect ions
When an active connection is established, the server opens a data connection to the client from
port 20 to a high range port on the client machine. All data from the server is then passed over
this connection.
Passive Connections
When a passive connection is established, the client asks the FTP server to establish a
passive connection port, which can be on any port higher than 10,000. T he server then binds
to this high-numbered port for this particular session and relays that port number back to the
client. The client then opens the newly bound port for the data connection. Each data request
the client makes results in a separate data connection. Most modern FTP clients attempt to
establish a passive connection when requesting data from servers.
Note
The client determines the type of connection, not the server. T his means to effectively cluster
FT P, you must configure the LVS routers to handle both active and passive connections.
The FTP client/server relationship can potentially open a large number of ports that the Piranha
Configurat ion Tool and IPVS do not know about.
3.5.2. How This Affects LVS Routing
IPVS packet forwarding only allows connections in and out of the cluster based on it recognizing its port
number or its firewall mark. If a client from outside the cluster attempts to open a port IPVS is not
configured to handle, it drops the connection. Similarly, if the real server attempts to open a connection
back out to the Internet on a port IPVS does not know about, it drops the connection. This means all
connections from FTP clients on the Internet must have the same firewall mark assigned to them and all
connections from the FTP server must be properly forwarded to the Internet using network packet
filtering rules.
3.5.3. Creating Network Packet Filter Rules
Before assigning any iptables rules for FT P service, review the information in Section 3.4.1,
Assigning Firewall Marks concerning multi-port services and techniques for checking the existing
network packet filtering rules.
Below are rules which assign the same firewall mark, 21, to FT P traffic. For these rules to work properly,
you must also use the VIRTUAL SERVER subsection of Piranha Configuration Tool to configure a
virtual server for port 21 with a value of 21 in the Firewall Mark field. See Section 4.6.1, The
VIRTUAL SERVER Subsection” for details.
3.5.3.1. Rules for Active Connect ions
The rules for active connections tell the kernel to accept and forward connections coming to the internal
floating IP address on port 20 — the FTP data port.
The following iptables command allows the LVS router to accept outgoing connections from the real
Red Hat Enterprise Linux 4 Virtual Server Administration
32