On Thu, 21 Jun 2001, Marius Tomaschewski wrote:
Hi!
On Wed, Jun 20, 2001 at 03:32:20PM +0200, Alois Treindl wrote:
I intend to run ftp-proxy on the 'director' of an LVS cluster. The ftp server will run on one of the real servers in the cluster.
I use ipchains for firewalling the director against the Internet. Only a very limited set of rules is curently active, to allow ssh access to the 'director' and for the load balanced http services, plus DNS and NTP lookups and such stuff.
Question: Does someone have a ruleset for ipchains for the additional rules required for the ftp proxy service.
a) allowing public access to the ftp-proxy service from outside
You do not need any redirection rules nor transparent proxying if you have only one ftp-server - simply set DestinationAddess to the IP of the ftp-server and say to the internet, the proxy machine is your ftp-server.
Sorry, I seem to be too inexperienced with Linux and NAT/proxy setup to understand what you are saying. What does it mean "Say to the Internet the proxy is my ftp server"? I do say that ftp.astro.com is $VIP (see below), but I need the corresponding filtering and forwarding rules inside the proxy server. Would it be possible to express that in explicit statements like ' put this .... in configuration file 'filename' and 'put this rule .... in your ipchains ruleset? This is my setup: | | eth1: real address $DEP, virtual address eth1:0 $VIP | DEP=195.49.62.58 VIP=195.49.62.59 +---------------------+ | LVS-NAT director | running kernel 2.2.19 | ipchains firewall | | ftp-proxy | +---------------------+ | eth0: 10.1.1.254 hostname="w0" | | switch--------------- other real http servers w2, w3, w4, ... | | eth0: 10.1.1.1 hostname="w1" +---------------------+ | http server | running kernel 2.4.5 | ftp server | ----------------------+ Clients on the internet should connect via ftp (active and passive must be possible) to virtual address $VIP and get connected via the proxy to the internal server. ipchains must be configured to allow the passage and forwarding of the packets related to the ftp connections. By default, everything is forbidden. I need - the relevant entries in ftp-proxy.conf - ipchains rules || Alois Treindl, Astrodienst AG, mailto:alois@astro.com || Zollikon/Zurich, Switzerland