3.5. Configuring FTP
3.5.1. How FTP Works
- Active Connections
- When an active connection is established, the server opens a data connection to the client from port 20 to a high range port on the client machine. All data from the server is then passed over this connection.
- Passive Connections
- When a passive connection is established, the client asks the FTP server to establish a passive connection port, which can be on any port higher than 10,000. The server then binds to this high-numbered port for this particular session and relays that port number back to the client. The client then opens the newly bound port for the data connection. Each data request the client makes results in a separate data connection. Most modern FTP clients attempt to establish a passive connection when requesting data from servers.
3.5.2. How This Affects Load Balancer Routing
ip_vs_ftpkernel module loaded. Run the following commands as an administrative user at a shell prompt to load this module and and ensure that the module loads on a reboot:
echo "ip_vs_ftp" >> /etc/modules-load.d/ip_vs_ftp.conf systemctl enable systemd-modules-load systemctl start systemd-modules-load
3.5.3. Creating Network Packet Filter Rules
iptablesrules for the FTP service, review the information in Section 3.4, “Multi-port Services and Load Balancer ” concerning multi-port services and techniques for checking the existing network packet filtering rules.
21, to FTP traffic.
126.96.36.199. Rules for Active Connections
20(the FTP data port).
iptablescommand allows the LVS router to accept outgoing connections from the real servers that IPVS does not know about:
/usr/sbin/iptables -t nat -A POSTROUTING -p tcp -s n.n.n.0/24 --sport 20 -j MASQUERADE
iptablescommand, n.n.n should be replaced with the first three values for the floating IP for the NAT interface's internal network interface defined
virtual_serversection of the
188.8.131.52. Rules for Passive Connections
vsftpd, to use a matching port range. This can be accomplished by adding the following lines to
pasv_addressto override the real FTP server address should not be used since it is updated to the virtual IP address by LVS.
10000:20000in the commands below to
iptablescommands have the net effect of assigning any traffic addressed to the floating IP on the appropriate ports a firewall mark of
21, which is in turn recognized by IPVS and forwarded appropriately:
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 21 -j MARK --set-mark 21
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 10000:20000 -j MARK --set-mark 21
iptablescommands, n.n.n.n should be replaced with the floating IP for the FTP virtual server defined in the
virtual_serversubsection of the
iptables-save > /etc/sysconfig/iptables
iptablesservice is started at system start, enter the following command:
systemctl enable iptables
systemctl restart iptables