Here’s the setup:

• Fedora 41 Server host
• Libvirt/QEMU
• Alma 9 guest running ssh

My goal is to forward ports from the guest to the host, but change them. I set up a hook(as in the libvirt docs) and it worked on my last server. My hook looks like:

#!/bin/bash

if [ "${1}" = "Jellyfin" ]; then

   # Update the following variables to fit your setup
   GUEST_IP=192.168.101.4
   GUEST_PORT=22
   HOST_PORT=2222

   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
    /sbin/iptables -D FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
    /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
    /sbin/iptables -I FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
   fi
fi

However, when I ssh to my server:2222, it doesn’t work, “Connection refused.” I can ssh from inside my server to my guest’s ip address, so I know it’s not an issue with ssh itself. The guest’s iptables rules are:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

so that’s probably not the issue.

My server’s iptables rules include:

-A FORWARD -d 192.168.101.4/32 -o virbr1 -p tcp -m tcp --dport 22 -j ACCEPT

, so it appears the forwarding happened, but an nmap scan reveals the port is closed:

2222/tcp closed EtherNetIP-1

I’m baffled by this issue. Any help would be greatly appreciated!