cannot connect from guest (Win8.1) to host (Tumbleweed), FTP

I can’t figure out why FTP from guest can’t reach my host. I am 100% sure FTP server is up and running because I can access it from other devices.
Guest config:
<Looks like I cannot post picture, so please check pictures in this question: https://superuser.com/questions/1740779/cannot-connect-from-guest-to-host-ftp>

Host config:


denis@dgecko:~> ip addr
...
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:57:7b:80:71:c2 brd ff:ff:ff:ff:ff:ff
    altname wlp8s0
    inet 192.168.50.160/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1
       valid_lft 74882sec preferred_lft 74882sec
    inet6 fe80::b624:33a6:58eb:84c9/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
8: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:d0:a7:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:ca:3d:0c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:feca:3d0c/64 scope link 
       valid_lft forever preferred_lft forever

denis@dgecko:~> ip route
default via 192.168.50.1 dev wlo1 proto dhcp src 192.168.50.160 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.160 metric 600 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 

Ping from Windows to Host (=192.168.50.160) works correctly, however trying

ftp 192.168.50.160

times out. Inspecting with Wireshark, I can see "Destination Unreachable (Port unreachable).
Windows port 21 is open for in/out-bound, same on my Tumbleweed.
I have tried to create another “routed network” as described here https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-libvirt-networks.html, but without success.

You can, but you should use https://susepaste.org/ to host the image and link to it here (or use the ‘Insert Image’ button to have it as a viewable image)…

Does it work after stopping firewall on both systems/

No, it doesn’t, just tried

Are you sure FTP server is listening on internal IP address? Show output as root of

ss -lntp

OK, you are trying to connect to “external” address. Is routing enabled?

cat /proc/sys/net/ipv4/ip_forward

Can you connect to internal address (192.168.122.1)?

FTP server seems to be correctly setup, I can login/download from it using my phone and other desktop windows pc. The problem is only with windows virtual machine.

Host:


dgecko:/home/denis # cat /proc/sys/net/ipv4/ip_forward
1

dgecko:/home/denis # ss -lntp
State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port      Process                                      
LISTEN      0           32               192.168.122.1:53                  0.0.0.0:*          users:(("dnsmasq",pid=1948,fd=6))           
LISTEN      0           128                  127.0.0.1:631                 0.0.0.0:*          users:(("cupsd",pid=1308,fd=7))             
LISTEN      0           50                           *:1716                      *:*          users:(("kdeconnectd",pid=2556,fd=14))      
LISTEN      0           32                           *:21                        *:*          users:(("vsftpd",pid=1313,fd=3))            
LISTEN      0           128                      ::1]:631                    ::]:*          users:(("cupsd",pid=1308,fd=6)) 

denis@dgecko:~> ftp 192.168.122.1
Connected to 192.168.122.1.
220 Hi there
Name (192.168.122.1:denis): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.

denis@dgecko:~> ftp 192.168.50.160
Connected to 192.168.50.160.
220 Hi there
Name (192.168.50.160:denis): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 


Guest:
ftp 192.168.50.160 -> timeout
ftp 192.168.122.1 -> timeout

It sounds like something in VirtualBox setup. What networking this guest is using?

E-h-h … not sure why I assumed this was VirtualBox. What are you using to manage VM?

Virtual Machine Manager 4.0.0 which came with Tumbleweed.
Guest is using NAT virtual network, “default”, which, again was there in the first place.

I haven’t succeed in using “Bridge device”, but I might be mis-using it. I literally just tried “bridge device…”, “device name: virbr0” which was there too. When trying to use Bridge device, i have exactly the same behaviour: timeouts for both IPs (192.168.50.160 and 192.168.122.1) .
This is the Host output when using Bridge device (I don’t know if this helps in any way):


denis@dgecko:~> ip addr
...
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:57:7b:80:71:c2 brd ff:ff:ff:ff:ff:ff
    altname wlp8s0
    inet 192.168.50.160/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1
       valid_lft 73062sec preferred_lft 73062sec
    inet6 fe80::b624:33a6:58eb:84c9/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:21:1f:13:78 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:d0:a7:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
11: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:ca:3d:0c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:feca:3d0c/64 scope link 
       valid_lft forever preferred_lft forever

Note that I only have WiFi on my laptop, again this might be non-important, I don’t know.

Can you post when VM is running

iptables -L -n -v
iptables -t nat -L -n -v
nft list ruleset

dgecko:~ # iptables -L -n -v
Chain INPUT (policy ACCEPT 448 packets, 41841 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 365K  538M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 135K  228M LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 135K  228M LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
41119 4605K LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 404 packets, 27645 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 156K   15M LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   56 28958 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   56 18274 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   10   699 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2   665 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2   659 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68


dgecko:~ # iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 179 packets, 22164 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  126  8666 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 16 packets, 1381 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 60 packets, 4232 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   178 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 60 packets, 4232 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6517  768K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    9   468 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

This is while VM is running as required, with “default” NAT network.
The output from the last command was pretty long, so I used pastebin: https://pastebin.com/fhcQbVTY.

Please, next time use https://susepaste.org.

You said you disabled firewall, but this output clearly shows that firewall is active, virbr0 is in zone libvirt and this zone does not allow incoming request on port 21. Also I do not see any firewalld policy definition that would allow forwarding from libvirt zone to another zone (i.e. another interface). So with this firewall configuration your results are expected.

I confirm this is my fault, and I did disable firewall on windows side only, while only opening port 21 in “Home” zone (which, I was convinced was the correct one …).
Thanks a lot for you time, everything works as expected after allowing FTP in Libvirt zone

Thanks again!