Linux – iptables / KVM forward port

I have a server with one external IP address (e.g. 1.2.3.4). On that server I use libvirt to run virtual machines. Now I want to access a virtual server on my host via ssh (port 1234) from the outside.

On my host system I got a network interface eth0 which is connected to my outside IP (1.2.3.4).

My virtual machine is connected to the host machine via a nat interface called virbr0 with the ip 192.168.122.235.

As I need to forward a port I did the following with iptable

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1234 -j DNAT --to-destination 192.168.122.235:1234

iptables -A FORWARD -p tcp -d 192.168.122.235 --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

For basic networking I also got UFW running on the host allows port 1234:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
[SOMEOTHERPORTS]
1234/tcp                  ALLOW IN    Anywhere
1234/tcp (v6)             ALLOW IN    Anywhere (v6)

I made sure that forwarding is allowed for all involved network interfaces:

user@someserver ~ # cat /proc/sys/net/ipv4/conf/virbr0/forwarding 
1
user@someserver ~ # cat /proc/sys/net/ipv4/conf/eth0/forwarding 
1

When trying to connect via ssh to the server from the outside network to 1.2.3.4 I get:

ssh: connect to host 1.2.3.4 port 1234: Connection refused

I checked the ssh connection from the host, which is working perfectly.

• What am I doing wrong here?
• Does UFW interfere with iptables?
• How can I get this working?
• Is there an easier way to do port forwarding with
  libvirt / virt-manager? (I tried this:
  http://secomputing.co.uk/2012/02/21/Forwarding-ports-to-KVM-clients/
  which did not work either because XML is not valid when changing to / it does validate but not work if I let it on "network")