I can’t figure out why FTP from guest can’t reach my host. I am 100% sure FTP server is up and running because I can access it from other devices.
Guest config:
<Looks like I cannot post picture, so please check pictures in this question: https://superuser.com/questions/1740779/cannot-connect-from-guest-to-host-ftp>
Host config:
denis@dgecko:~> ip addr
...
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d0:57:7b:80:71:c2 brd ff:ff:ff:ff:ff:ff
altname wlp8s0
inet 192.168.50.160/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1
valid_lft 74882sec preferred_lft 74882sec
inet6 fe80::b624:33a6:58eb:84c9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
8: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:d0:a7:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:ca:3d:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:feca:3d0c/64 scope link
valid_lft forever preferred_lft forever
denis@dgecko:~> ip route
default via 192.168.50.1 dev wlo1 proto dhcp src 192.168.50.160 metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.160 metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
Ping from Windows to Host (=192.168.50.160) works correctly, however trying
ftp 192.168.50.160
times out. Inspecting with Wireshark, I can see "Destination Unreachable (Port unreachable).
Windows port 21 is open for in/out-bound, same on my Tumbleweed.
I have tried to create another “routed network” as described here https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-libvirt-networks.html, but without success.
You can, but you should use https://susepaste.org/ to host the image and link to it here (or use the ‘Insert Image’ button to have it as a viewable image)…
FTP server seems to be correctly setup, I can login/download from it using my phone and other desktop windows pc. The problem is only with windows virtual machine.
Host:
dgecko:/home/denis # cat /proc/sys/net/ipv4/ip_forward
1
dgecko:/home/denis # ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 192.168.122.1:53 0.0.0.0:* users:(("dnsmasq",pid=1948,fd=6))
LISTEN 0 128 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=1308,fd=7))
LISTEN 0 50 *:1716 *:* users:(("kdeconnectd",pid=2556,fd=14))
LISTEN 0 32 *:21 *:* users:(("vsftpd",pid=1313,fd=3))
LISTEN 0 128 ::1]:631 ::]:* users:(("cupsd",pid=1308,fd=6))
denis@dgecko:~> ftp 192.168.122.1
Connected to 192.168.122.1.
220 Hi there
Name (192.168.122.1:denis): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
denis@dgecko:~> ftp 192.168.50.160
Connected to 192.168.50.160.
220 Hi there
Name (192.168.50.160:denis): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Virtual Machine Manager 4.0.0 which came with Tumbleweed.
Guest is using NAT virtual network, “default”, which, again was there in the first place.
I haven’t succeed in using “Bridge device”, but I might be mis-using it. I literally just tried “bridge device…”, “device name: virbr0” which was there too. When trying to use Bridge device, i have exactly the same behaviour: timeouts for both IPs (192.168.50.160 and 192.168.122.1) .
This is the Host output when using Bridge device (I don’t know if this helps in any way):
denis@dgecko:~> ip addr
...
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d0:57:7b:80:71:c2 brd ff:ff:ff:ff:ff:ff
altname wlp8s0
inet 192.168.50.160/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1
valid_lft 73062sec preferred_lft 73062sec
inet6 fe80::b624:33a6:58eb:84c9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:21:1f:13:78 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:d0:a7:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
11: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:ca:3d:0c brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:feca:3d0c/64 scope link
valid_lft forever preferred_lft forever
Note that I only have WiFi on my laptop, again this might be non-important, I don’t know.
dgecko:~ # iptables -L -n -v
Chain INPUT (policy ACCEPT 448 packets, 41841 bytes)
pkts bytes target prot opt in out source destination
365K 538M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
135K 228M LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
135K 228M LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
41119 4605K LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 404 packets, 27645 bytes)
pkts bytes target prot opt in out source destination
156K 15M LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
56 28958 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
56 18274 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
10 699 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
2 665 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
2 659 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
dgecko:~ # iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 179 packets, 22164 bytes)
pkts bytes target prot opt in out source destination
126 8666 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 16 packets, 1381 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60 packets, 4232 bytes)
pkts bytes target prot opt in out source destination
3 178 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 60 packets, 4232 bytes)
pkts bytes target prot opt in out source destination
6517 768K LIBVIRT_PRT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
9 468 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
This is while VM is running as required, with “default” NAT network.
The output from the last command was pretty long, so I used pastebin: https://pastebin.com/fhcQbVTY.
You said you disabled firewall, but this output clearly shows that firewall is active, virbr0 is in zone libvirt and this zone does not allow incoming request on port 21. Also I do not see any firewalld policy definition that would allow forwarding from libvirt zone to another zone (i.e. another interface). So with this firewall configuration your results are expected.
I confirm this is my fault, and I did disable firewall on windows side only, while only opening port 21 in “Home” zone (which, I was convinced was the correct one …).
Thanks a lot for you time, everything works as expected after allowing FTP in Libvirt zone