AndrasKrigare

Sorry, I was looking more specifically at that DNAT rule

8   480 DNAT       6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222 to:192.168.101.4:22

That rule exists in the host 192.168.86.73, correct? And from the guest, 192.168.101.4 you are attempting to ssh into 192.168.86.73:2222?

It might not be your issue (or only issue), but that DNAT rule says that if a connection comes in on port 2222, instead send it to 192.168.101.4:22. So 192.168.101.4->192.168.86.73:2222->192.168.101.4:22. I would have thought you'd want it to be a DNAT to 192.168.86.73, functionally doing port bending, so it goes 192.168.101.4->192.168.86.73:2222->192.168.86.73:22.

That doesn't explain the connection refused, though, based on what you've said; there's some fringe possibilities, but I wouldn't expect for your setup if you hadn't said (like your ~/.ssh/ssh_config defining an alternate ssh port for your guest OS than 22). It's somewhat annoying, but it might be worthwhile to do a packet capture on both ends and follow exactly where the packet is going. So a

tcpdump -v -Nnn tcp port 22 or tcp port 2222

For general awareness, not all flags can match all parts of an iptables command; the part you included there with "--to offset" is only valid with the string module, and not the DNAT action. That said after playing around with it a little, iptables actually does short flag matching, so 'DNAT --to 1.2.3.4' 'DNAT --to-d 1.2.3.4' and 'DNAT --to-destination' are all equivalent, so not the source of your issue.

I am having trouble following the IP scheme, though. Is your Alma guest 192.168.101.4, or is that the host IP? If it's Alma's and you are attempting to ssh from that IP to the host with that iptables rule, what should happen is that DNAT would then redirect that connection back to Alma. If the guest doesn't have a :22 listener, you'd get a connection refused from itself.

Your hook has

/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

But I'd didn't think that "--to" was a flag for DNAT, I thought it was "--to-destination"

If you 'iptables -nvL' and 'iptables -t nat -nvL' do you see both your DNAT and forwarding rules (although if the default is ACCEPT and you don't have other rules, the FORWARD one isn't needed), and do you see the packet count for the rules increase?

I do the same, the bumpers feel kinda squishy to me.

I'm always reminded of https://youtu.be/M6dWG18HnOo?si=6VyysSwkj5lD3AEc

Klaus is a newer one, but has joined the tradition rotation

I don't have data to support it, but I'd imagine that the job role within the military can make a big difference. Were you an officer, with a college degree, doing a lot of IT work and never deployed? You're probably gonna be fine.

Were you an enlisted undez who scraped rust, or were deployed and suffering from PTSD? It's gonna be a much harder time.

Relevant SMBCs https://www.smbc-comics.com/comic/the-talk-3

And

Because it's your computer

It likely depends on the courthouse, but generally speaking you'll show up, sign in, someone will give a little talk about how things work, and then you'll wait in a waiting room for a few hours while various names are called. Then you'll go into the court room and the actual jurors will get selected from the pool. They'll ask some questions and depending on the answer some people will get removed (having a family member who's a police officer is pretty common).

If you're not selected, you'll probably go back to the waiting room to see if you get pulled for another case. If you are, you'll sit and listen to the details of the case and eventually make a determination. Depending on the case/jurisdiction, you might also be a "backup juror" where you'll sit through the entirety of the case, but won't actually be part of the deliberation at the end unless another juror had to drop out for some reason.

I ended up getting a murder trial, which was pretty interesting. Overall wasn't a horrible experience, but definitely glad I brought a Steam Deck while I was waiting.

That implies management is held accountable