I would suggest not using the rpcallowip at all. Here's how I currently have a bitcoind setup with remote RPC access:
* Add firewall settings to the bitcoind server that allow 127.0.0.1 to access the RPC port (18332 for testnet, 8332 for mainnet).
* Create a new linux user on the bitcoind server for the sole purpose of providing port forwarding via SSH for the RPC port.
* Setup SSH tunnel access from the machine(s) that require remote RPC access to the bitcoind server. The SSH tunnel should use the new linux user for the SSH session. I like to use public/private RSA keys to setup passwordless SSH between machines. Lastly, for security, when you are adding a public key to the list of authorized keys for the new linux user, you'll want to prevent command execution and restrict port forwarding to only the required RPC port.
Here's a snippet that let's you lock down an SSH session in the manner I just described:
no-pty,no-X11-forwarding,permitopen="localhost:18332",command="/bin/echo do-not-send-commands" THE_PUBLIC_KEY_GOES_HERE
This setup allows remote RPC access via an SSH tunnel without having to expose bitcoind ports to the net (only to the local machine).
If you have never setup passwordless SSH before, I wrote an article a while back that I posted on my site:
https://degreesofzero.com/article/passwordless-ssh-on-linux.html-------- EDIT --------
You know it just occurs to me. You're referencing port 18333 everywhere. That's not the testnet RPC port. Port 18332 is the testnet RPC port that you should be attempting to connect to when using RPC.