Re: FTP load balancing?

From: Willy Tarreau <>
Date: Thu, 22 May 2008 14:03:48 +0200

On Thu, May 22, 2008 at 01:55:35PM +0200, Alberto Giménez wrote:
> On Thu, May 22, 2008 at 10:35 AM, Willy Tarreau <> wrote:
> > I got active FTP load balancing to work in a very simple manner using
> > transparent proxy :
> >
> > client C connects to the service address V on haproxy port 21. haproxy
> > forwards the connection to server S1 port 21, using C as the source address.
> > When client sends "PORT C,X", the server tries to connect to C through the
> > machine running haproxy. You simply have to add a source NAT rule on this
> > machine, which translates S1 source port 20 to V source port 20. The client
> > will then receive a connection from V which is where it established the
> > control connection.
> Hi All,
> At first I though that I got it, but now I've realized that it doesn't
> work (it worked because I had my client configured to use passive
> connections previously). One question: Do you need iptables patched
> with the cttproxy capabilities? I understand it is only required if
> you want to modify the chain of the "transparent things", but for
> standard SNAT it should not be needed.

cttproxy is needed only to get transparent proxying of client's connection to the server (port 21).

> the iptables command I'm trying is:
> iptables -t nat -A POSTROUTING -p tcp -s FTP_SERVER:20 -d -j
> SNAT --to-source VIRTUAL_HAPROXY_IP:20
> Is that correct?

yes, it is correct. Check with tcpdump on the haproxy machine.

Willy Received on 2008/05/22 14:03

This archive was generated by hypermail 2.2.0 : 2008/05/22 14:15 CEST