Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentLINUX VIRTUAL SERVER 4.7 - ADMINISTRATION
31323334353637383940
servers that IPVS does not know about:
/sbin/iptables -t nat -A POSTROUTING -p tcp -s n.n.n.0/24 --sport 20 -j
MASQUERADE
In the iptables command, n.n.n should be replaced with the first three values for the floating IP for
the NAT interface's internal network interface defined in the GLOBAL SETTINGS panel of Piranha
Configurat ion Tool.
3.5.3.2. Rules for Passive Connect ions
The rules for passive connections assign the appropriate firewall mark to connections coming in from
the Internet to the floating IP for the service on a wide range of ports 10,000 to 20,000.
Warning
If you are limiting the port range for passive connections, you must also configure the VSFT P
server to use a matching port range. This can be accomplished by adding the following lines to
/etc/vsftpd.conf:
pasv_m in_port=10000
pasv_m ax_port=20000
You must also control the address that the server displays to the client for passive FTP
connections. In a NAT routed LVS system, add the following line to /etc/vsftpd.conf to
override the real server IP address to the VIP, which is what the client sees upon connection. For
example:
pasv_address=n.n.n.n
Replace n.n.n.n with the VIP address of the LVS system.
For configuration of other FT P servers, consult the respective documentation.
This range should be a wide enough for most situations; however, you can increase this number to
include all available non-secured ports by changing 10000:20000 in the commands below to
1024 :65535.
The following iptables commands have the net effect of assigning any traffic addressed to the
floating IP on the appropriate ports a firewall mark of 21, which is in turn recognized by IPVS and
forwarded appropriately:
/sbin/iptables -t m angle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 21 -j
MARK --set-m ark 21
/sbin/iptables -t m angle -A PREROUTING -p tcp -d n.n.n.n/32 --dport
10000:20000 -j MARK --set-m ark 21
In the iptables commands, n.n.n.n should be replaced with the floating IP for the FTP virtual server
defined in the VIRTUAL SERVER subsection of Piranha Configurat ion Tool.
Warning
The commands above take effect immediately, but do not persist through a reboot of the system.
To ensure network packet filter settings are restored after a reboot, see Section 3.6, Saving
Network Packet Filter Settings
Chapter 3. Setting Up LVS
33