IP routing with haproxy tcp for ftp

@ebourgui wrote:

Hi guys,

My configuration:

server1
ha proxy 1.5.14 - centos 7
public ip eth0 : 1.2.3.4
public ip eth0:0 : 5.6.7.8 (ovh ip failover which can point to another haproxy server when failover occured)
||
server3
vsftp server 3.0.2 - centos7
public ip eth0: 9.10.11.12

Only public addresses. server1 and server3 have backups in a pacemaker cluster (active / passive) : server2 (haproxy backup) and server4 (ftp backup)

When I connect in passive mode to server3 : no problem.
When I connect in passive mode to server1 (on 5.6.7.8):

ftp *****.com
Connected to *****.com (5.6.7.8).
220 Welcome to FTP service.
Name (******.com:root): toto
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (9,10,11,12,198,124).
ftp: connect: Connexion terminée par expiration du délai d'attente
=> in english : timeout

I take a look at /var/log/messages on the client and see
Sep 8 12:26:47 ***** kernel: [11686946.541337] Firewall: *TCP_OUT Blocked* IN= OUT=eth2 SRC=******* DST=9.10.11.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45793 DF PROTO=TCP SPT=52258 DPT=50812 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0

The client try to connect directly to server3 and not to server1. I think that the packets are blocked because packets should be iptables RELATED to server1 and not to server3 to pass the firewall.
I don't want to change iptables output rules because it concerns a lot of clients.
Is there a way to respond to server1 and not to server3 (or another way to work properly)?

server1 : haproxy.cfg
...
listen ftplb 5.6.7.8:21, 5.6.7.8:50000-50999
mode tcp
option tcplog
server server3 9.10.11.12 check port 21
server server4 13.14.15.16 check port 21

server1 et server3 : iptables
-A INPUT -p tcp -i eth0 -m multiport --dport 21,50000:50999 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

server3 vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
ftpd_banner=Welcome to FTP service.
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50999
dual_log_enable=YES
log_ftp_protocol=YES
port_enable=YES
port_promiscuous=YES
connect_from_port_20=NO
seccomp_sandbox=NO

Any idea?

Regards,
Eric

Posts: 9

Participants: 2

Read full topic