Вот мой кусок post-firewall, прекрасно работает:
iptables -D INPUT -j DROP
iptables -I INPUT -p udp --dport 9513 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 9513 -j DNAT --to-destination \$4:9513
iptables -A INPUT -j DROP
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT