Console connections for virtual machines, whether direct or through a proxy, are received on ports 5900 to 5999. You must configure the firewall on each Compute service node to enable network traffic on these ports. On the server that hosts the Compute service, log in as root. Edit the /etc/sysconfig/iptables file. Add an INPUT rule that allows TCP traffic on ports that range from 5900 to 5999: -A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT The new rule must appear before any INPUT rules that REJECT traffic. Save the changes to the /etc/sysconfig/iptables file. Restart the iptables service to ensure that the change takes effect. $ service iptables restart The iptables firewall now enables incoming connections to the Compute services. Repeat this process for each Compute service node.