Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.5.3. Creating Network Packet Filter Rules

Before assigning any iptables rules for FTP service, review the information in Section 3.4.1, “Assigning Firewall Marks” concerning multi-port services and techniques for checking the existing network packet filtering rules.
Below are rules which assign the same firewall mark, 21, to FTP traffic. For these rules to work properly, you must also use the VIRTUAL SERVER subsection of Piranha Configuration Tool to configure a virtual server for port 21 with a value of 21 in the Firewall Mark field. See Section 4.6.1, “The VIRTUAL SERVER Subsection” for details.

3.5.3.1. Rules for Active Connections

The rules for active connections tell the kernel to accept and forward connections coming to the internal floating IP address on port 20 — the FTP data port.
The following iptables command allows the LVS router to accept outgoing connections from the real servers that IPVS does not know about:
/sbin/iptables -t nat -A POSTROUTING -p tcp -s n.n.n.0/24 --sport 20 -j MASQUERADE
In the iptables command, n.n.n should be replaced with the first three values for the floating IP for the NAT interface's internal network interface defined in the GLOBAL SETTINGS panel of the Piranha Configuration Tool.