Virt-manager - VM cannot connect to host

Hi! I had a problem about virt-manager setup:

Recently I installed “virt-manager”, along with a fedora vm, using “NAT” default configuration. I can ssh into VM from Host, but I cannot ssh into Host from VM, and every ports opened on Host are report “Connection Refused” error when try to nc x.x.x.x <port>, however, ping Host works fine from VM. So I want to ask:

How can I fix the problem that “Connection refused” when connecting Host from VM?

Thanks in advance!!!

virt-manager config:

4b48f372713954e34959de5c768b1fca67060f4d.png1567×883 52.5 KB

My Host config:

5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:f8:dc:89 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever

My VM config:

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:82:f9:95 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.164/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2378sec preferred_lft 2378sec
    inet6 fe80::5054:ff:fe82:f995/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Hello,
are you sure that sshd is running on the host?

yes, I’ve tested not only ssh port 22, but also other common ports like 8080, 80, 8000, try to test any of them from VM to Host, all I got is “Connection refused”. But test any of them from Host to VM, I got all of them worked

1. Firewall settings? What does firewall-cmd --list-all say?

2. You could try to run journalctl -ef and look for any messages on the host, which could give you the reason for it.

$ firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: br123 wlp1s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

2. I just tried journalctl -ef before nc host-ip 8000, and after nc, I did not see any updates for journalctl’s stdout.

What does systemctl status sshd say?

I just tried restart sshd, thanks for the hint! it works!

But some original problems still exist: I open a http server on my Host listening port 8000, and I run nc host-ip 8000, it still reports ‘connection refused’, whereas nc host-ip 22 works.

Have you tried (on the VM) nmap <ip of host> to see what ports are open?

What are you using for network config for the VM?
I had similar issues when I configured a VM for NAT, but when I set it up as BRIDGED and used the host ‘virbr0’ as the device then everything just worked as expected.

On the host (with no VMs active) I see

$ ip a

4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:31:29:bb brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.1/24 brd 192.168.124.255 scope global virbr0
       valid_lft forever preferred_lft forever

and connections from the VM to the host use the ‘192.168.124.1’ address.

You can change the VM from NAT to Bridged if needed when the VM is down by using the VMM manager and edit that config.

On one of my VMs I see

$ ip a

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:89:cd:7f brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.58/24 brd 192.168.124.255 scope global dynamic noprefixroute enp1s0
       valid_lft 3552sec preferred_lft 3552sec
    inet6 fe80::72f2:d2f9:aa93:ab84/64 scope link noprefixroute 

so connections from host to VM use that address to connect

@computersavvy Thanks for the hint!

nmap shows this:

PORT    STATE   SERVICE
22/tcp   open      ssh
53/tcp   open     domain

But I have opened a http server using

python -m http.server 8000

Why I cannot see the port 8000 is opened from VM’s point of view?

Possibly the firewall on the host.

I can access that normally, see the image:

d3382cec461c694350bfa47c93169f8b31ba4958.png1441×1292 92.2 KB

The VM networking is the default, I got from virt-manager on Fedora 37 and it looks like this:

My nmap output looks like this:

Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-26 17:16 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000083s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
631/tcp  open  ipp
5900/tcp open  vnc
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

It seems that you do not have the 8000 opened.

This may or may not be an error when run inside the VM, depending upon what you are testing. The VM has its own lo interface at 127.0.0.1 (as does the host) so neither would communicate with the other using that address. The results would essentially be the same as using that command for the local LAN address for each.

This is nmap that is running on the host, not on the VM. I believe the problem is that @mic123 cannot access the host from his/her VM.

I added the output to show that port 8000 is opened on my host, while on mic123’s host, the port was not found as opened by nmap it seems.

Understood, but my comment still applies.
IP 127.0.0.1 only applies to the localhost and does not work for testing connections for another host, even if it is a VM.

Using the actual LAN address of the host when testing with nmap from the VM will show open or blocked ports on the host. Similarly using the LAN address of the VM when testing from the host will show the results for ports on the VM.

The result will show if the port is open and not blocked by the firewall, or it will show as blocked if not open or if it is open but blocked by the firewall.

This is my VM network configuration on virt-manager:

03240121aacb37fd8667a2e4904f4c2aa57afca2.png1145×563 35.5 KB

And this is my VM ip a:

[root@fedora ~]# ip a
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:6a:95:5c brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.224/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
       valid_lft 3242sec preferred_lft 3242sec
    inet6 fe80::5054:ff:fe6a:955c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

And this my Host ip a:

17: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:f8:dc:89 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever

Now I opened a server listening port 8000 on my Host, and netstat shows:

$ netstat -and | grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN 

and several running results of firewall-cmd are:

$ firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: br123 wlp1s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

$ firewall-cmd --list-ports 
1025-65535/tcp 1025-65535/udp

$ firewall-cmd --add-port=8000/tcp
Warning: ALREADY_ENABLED: '8000:tcp' already in 'FedoraWorkstation'
success

$ firewall-cmd --list-ports 
1025-65535/tcp 1025-65535/udp

I guess that now it would be accessible from VM to Host, on port 8000, but it is not:

[root@fedora ~]# nc 192.168.122.1 8000
Ncat: Connection refused.

[root@fedora ~]# nmap 192.168.122.1
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-27 10:19 CST
Nmap scan report for fedora (192.168.122.1)
Host is up (0.00030s latency).
Not shown: 987 filtered tcp ports (no-response), 11 filtered tcp ports (port-unreach)
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
MAC Address: 52:54:00:F8:DC:89 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.27 seconds

[root@fedora ~]# nc 192.168.122.1 22
SSH-2.0-OpenSSH_8.8
^C

[root@fedora ~]# 

As it showed, port 22 is opened and accessible, but not true for 8000. This is weird

@lruzicka Thanks for sharing your configutaion, I think mine is not much different than yours, but I still got situations here.

@computersavvy As the commands output shown, it seems my Host firewall has never made port 8000 accessible from outside, is my guess correct? If so, How can make it accessible like port 22 and port 53?

Of course. I assumed that this is a fact everybody generally knows that 127.0.0.1 is just the representation of the actual machine (the one I am working on) and that you cannot access anything outside of it using this address.

As far as my situation is concerned, my computer uses two internet connections (a wired and a wireless) and has a virtual bridge inside the VMs. It is part of my home network and it is identified there as 192.168.1.x while for the VMs it looks like 192.168.122.1.

Therefore whenever I want to access it from inside the virtual machine, I am using 192.168.122.1.

What if you opened the Python server on some other port? Would that make a difference? I am not sure, but could that be, that you have reserved port 8000 for some other service?

You need to check your /etc/ssh/sshd_config on the host. If you’re using NAT, the vm is going to have a different subnet than the host system. In you sshd_config file there’s a section for what network to listen for and allow:

Port 22
AddressFamily any
ListenAddress 192.168.122.0/24
#ListenAddress ::

As I understand it, when using NAT the VM needs to connect to the host using the host LAN address and not the virbr0 address. Also the host apparently needs to have the VM IP address added to the firewall as allowed to connect since with NAT it is not an internal address.

With bridging using virbr0 the VM apparently is seen as an internal address and I have never needed to make any changes in the firewall config for bi-directional connections between the host & VM.