In tcp/ip loopback is a separate entity from your actual IP address, try connecting to your actual address instead of the loopback as its slightly more realistic simulation of a remote attack. You can't really simulate a lot of attacks using this method though, plus it's too easy to accidentally use your access to the box to do stuff you couldn't normally do remotely.