Red Hat ENTERPRISE LINUX AS 2.1 Installation Manual page 131

Section 8.4:FTP In an LVS Cluster
In the above network packet filter commands, n.n.n should be replaced with the first three values for
the floating IP for the NAT interface's internal network interface defined in the
panel of Piranha Configuration Tool. These commands allow the LVS router to accept outgoing
connections from the real servers that IPVS does not know about.
Rules for Passive Connections
The rules for passive connections assign the appropriate firewall mark to connections coming in from
the Internet to the floating IP for the service on a wide range of ports — 10,000 to 20,000.
If you are limiting the port range for passive connections, you must also
configure the FTP server to use a matching port range. This can be ac-
complished under Red Hat Linux by adding the following line to the end
of /etc/ftpaccess:
passive ports 0.0.0.0/0 10000 20000
For other FTP servers, consult the documetation.
This range should be a wide enough for most situations; however, you can increase this number
to include all available non-secured ports by changing 10000:20000 in the commands below to
1024:65535.
iptables
/sbin/iptables -t mangle -A PREROUTING -p tcp \
/sbin/iptables -t mangle -A PREROUTING -p tcp \
ipchains
/sbin/ipchains -A input -p tcp -d n.n.n.n /32 21 -m 21
/sbin/ipchains -A input -p tcp -d n.n.n.n /32 \
In the above network packet filter commands, n.n.n.n should be replaced with the floating IP for
the FTP virtual server defined in the
These commands have the net effect of assigning any traffic addressed to the floating IP on the appro-
priate ports a firewall mark of 21, which is in turn recognized by IPVS and forwarded appropriately.
WARNING
-d n.n.n.n /32
\
--dport 21 -j MARK --set-mark 21
-d n.n.n.n /32 \
--dport 10000:20000 -j MARK --set-mark 21
10000:20000 -m 21
VIRTUAL SERVER
subsection of Piranha Configuration Tool.
GLOBAL SETTINGS
131