Agent: ftp00 | 192.168.2.135 (public, eth0 ) | 10.11.130.1 ( private, eth1)
Node01: ftp01 | 10.11.130.140
node02: ftp02 | 10.11.130.141
Operating System: CentOS 6.6
HA Agent: 2014/07/12 version 1.5.2
vsftpd: version 2.2.2
ftp00:/etc/haproxy/haproxy.conf
#---------------------------------------------------------------------
# GLOBAL CONFIG
#---------------------------------------------------------------------
global
daemon
log 127.0.0.1 local0 info log 127.0.0.1 local1 notice log 127.0.0.1 local5 debug chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # DEFAULTS CONFIG #--------------------------------------------------------------------- defaults log global mode tcp option tcplog option dontlognull retries 3 option redispatch option tcpka maxconn 2000 contimeout 5000 #--------------------------------------------------------------------- # POOL CONFIG #--------------------------------------------------------------------- listen ftp-lb bind 192.168.2.135:21 mode tcp option tcplog balance roundrobin server ftp01 10.11.130.140:21 weight 10 minconn 30 maxconn 1000 check server ftp02 10.11.130.141:21 weight 10 minconn 30 maxconn 1000 check #--------------------------------------------------------------------- # HAPROXY DASHBOARD CONFIG #--------------------------------------------------------------------- listen stats bind 192.168.2.135:81 mode http stats enable stats refresh 30s stats show-node stats uri /stats stats auth admin:password
ftp00:/ etc / sysconfig / iptablesfound [here]
*nat
:PREROUTING ACCEPT [7:724]
:POSTROUTING ACCEPT [5:300]
:OUTPUT ACCEPT [5:300]
-A PREROUTING -d 192.168.2.135/32 -i eth1 -p tcp -m tcp --dport 12001:14000 -j DNAT --to-destination 10.11.130.140
-A PREROUTING -d 192.168.2.135/32 -i eth1 -p tcp -m tcp --dport 16001:18000 -j DNAT --to-destination 10.11.130.141
-A POSTROUTING -s 10.11.130.140/32 -o eth1 -j SNAT --to-source 192.168.2.135
-A POSTROUTING -s 10.11.130.141/32 -o eth1 -j SNAT --to-source 192.168.2.135
COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [732:64731] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
ftp01:/etc/vsftpd/vsftpd.conf
#------------------------------------------
# GENERAL CONFIG
#------------------------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES local_umask=022 dirmessage_enable=YES pam_service_name=vsftpd #------------------------------------------ # LOG CONFIG #------------------------------------------ xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES #------------------------------------------ # USER WHITELIST #------------------------------------------ userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list #------------------------------------------ # PASSIVE MODE CONFIG #------------------------------------------ #tcp_wrappers=YES pasv_enable=YES port_enable=YES pasv_min_port=12001 pasv_max_port=14000 pasv_address=192.168.2.135 pasv_addr_resolve=NO connect_from_port_20=YES #------------------------------------------ # Added listen address for internal only #------------------------------------------ listen=YES listen_address=10.11.130.140 #----------------------------------------- # BANNER CONFIG #----------------------------------------- banner_file=/etc/vsftpd/issue
ftp01:/ etc / sysconfig / iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 12001:14000 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
ftp02:/etc/vsftpd/vsftpd.conf
And ftp01 configuration differences:
pasv_min_port=16001
pasv_max_port=18000 listen_address=10.11.130.141
ftp02:/ etc / sysconfig / iptables
Same as **ftp01** with respective port ranges
All nodes: / etc / sysconfig / iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"
SELinux are disabled on all machines. I've followed several tutorials (such as this and this ), but I still can not use passive mode. I can load balancer by HAproxy (set to roundrobin, which can also be) to log on to FTP server, it has been giving me this:
220-***FTP SERVER CLUSTER NODE 02***
220
Name (192.168.2.135:root): root
331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,2,135,67,94). ftp: connect: Connection timed out ftp>
Now that I have done all I can think of things, almost all of those things to deal with this, I would feel a little frustrated. I'm the same configuration as the configuration tutorial, but it does not work. Maybe I missed something I did not notice to things, so any help is greatly appreciated!
At least the port number seems to be correct ftp02 set to use 16001--18000 into passive mode using 67 * 25694 = 17246, which is completely normal.
# modprobe ip_vs_ftp
Red_Hat_Enterprise_Linux-6-Load_Balancer_Administration-EN-US
In order to enable passive FTP connections, ensure that you have the ip_vs_ftp kernel module loaded, which you can do by running the command modprobe ip_vs_ftp as an administrative user at a shell prompt.