AP Kontinent + IPTables?

Hello! Who set up a bunch of AP Continent (to access SUFD) + IPTables question for you. A problem occurred while connection to the AP the Continent through a proxy server on CentOS 7 configured with squid + iptables. On a squid wrapped traffic on 80 and 443 ports, the rest of the traffic is blocked. To work up the Continent created the following allow rules in iptables:
*filter
-A FORWARD -s 82.119.129.210 -d 10.10.11.192/27 -i eth0 -o tun0 -p udp --sport 4433 -j ACCEPT
-A FORWARD -d 82.119.129.210 -s 10.10.11.192/27 -o eth0 -i tun0 -p udp --dport 4433 -j ACCEPT
-A FORWARD -s 82.119.129.210 -d 10.10.12.192/27 -i eth0 -o tun1 -p udp --sport 4433 -j ACCEPT
-A FORWARD -d 82.119.129.210 -s 10.10.12.192/27 -o eth0 -i tun1 -p udp --dport 4433 -j ACCEPT
-A FORWARD -s 82.119.129.210 -d 10.10.13.192/27 -i eth0 -o tun2 -p udp --sport 4433 -j ACCEPT
-A FORWARD -d 82.119.129.210 -s 10.10.13.192/27 -o eth0 -i tun2 -p udp --dport 4433 -j ACCEPT
*nat
-A POSTROUTING -o eth0 -p udp --dport 4433 -d 82.119.129.210 -s 10.10.11.192/27 -j MASQUERADE
-A POSTROUTING -o eth0 -p udp --dport 4433 -d 82.119.129.210 -s 10.10.12.192/27 -j MASQUERADE
-A POSTROUTING -o eth0 -p udp --dport 4433 -d 82.119.129.210 -s 10.10.13.192/27 -j MASQUERADE

in this configuration, the connection is established through time, can work, then 10 connections to be error at the stage of authentication, then no configuration changes to iptables again. And if you connect directly to the ISP router configured with nat, it connects immediately without problems.
Is there enough open udp port 4433 on white address up the Continent, taking into account that the source ports are not blocked? And if possible the correct operation of several clients up the Continent with one proxy?
Tried to call the operator up the Continent, not helped, "we have everything set up properly, see your equipment", to understate the MTU to 1400 did not help, to open up all ports to the Continent, did not help.
July 9th 19 at 14:02
1 answer
July 9th 19 at 14:04
somehow I doubt that there is udp

had no business with this so the first line of diagnosis:
in the first console
tcpdump -i tun0 -vnn host 82.119.129.210 -c 1000
in the second console
tcpdump -i eth0 -vnn host 82.119.129.210 -c 1000
doing that thread which should reach 82.119.129.210 and beyond tun0
look what flew to the router first
left after the second immediately returned
and again in first flew that back on there where it is necessary
tcpdump now can not run, but when run, then 10 packages in and out 10 replies. The Protocol udp. - Trey.Emard commented on July 9th 19 at 14:07
it is generally under NAT is able to work?
on a clean router checked? - Pear commented on July 9th 19 at 14:10
: "And if you connect directly to the ISP router configured with nat, it connects immediately without any problems." - Trey.Emard commented on July 9th 19 at 14:13
then do let 10.10.11.195 hanging the client
tcpdump -i tun0 -vnn host 10.10.11.195 -c 1000
look at what ports and hosts are and open them

if except as udp 82.119.129.210:4433 nothing, then most likely you have a problem with the routing in tun
and you need to look directly at the client or all requests on the client marshrutizatory tun - Pear commented on July 9th 19 at 14:16

Find more questions by tags Network administrationIptablesLinuxComputer networks