Red Hat ENTERPRISE LINUX AS 2.1 Installation Manual page 130

130
2. The FTP client/server relationship can potentially open a large number of ports that the Piranha
Configuration Tool and IPVS do not know about.
8.4.2 How This Affects LVS Routing
IPVS packet forwarding only allows connections in and out of the cluster based on it recognizing its
port number or its firewall mark. If a client from outside the cluster attempts to open a port IPVS
is not configured to handle, it drops the connection. Similarly, if the real server attempts to open a
connection back out to the Internet on a port IPVS does not know about, it drops the connection. This
means all connections from FTP clients on the Internet must have the same firewall mark assigned
to them and all connections from the FTP server must be properly forwarded to the Internet using
network packet filtering rules.
8.4.3 Creating Network Packet Filter Rules
Before assigning any iptables or ipchains rules for FTP service, review the information in
Section 8.3.1, Assigning Firewall Marks concerning multi-port services and techniques for checking
the existing network packet filtering rules.
You must log in as root and load the module for either iptables or
ipchains before issuing rules for the first time.
Below are rules which assign the same firewall mark, 21, to FTP traffic. For these rules to work
properly, you must also use the
configure a virtual server for port 21 with a value of 21 in the
The
VIRTUAL SERVER
Rules for Active Connections
The rules for active connections tell the kernel to accept and forward connections coming to the inter-
nal floating IP address on port 20 — the FTP data port.
iptables
/sbin/iptables -t nat -A POSTROUTING -p tcp \
ipchains
/sbin/ipchains -A forward
Chapter 8:Setting Up a Red Hat Enterprise Linux AS LVS Cluster
VIRTUAL SERVER
Subsection for details.
-s n.n.n .0/24 --sport 20 -j MASQUERADE
Note
subsection of Piranha Configuration Tool to
Firewall Mark
-p tcp -s n.n.n .0/24 20 -j MASQ
field. See Section 9.6.1,