It appears the the iptables rule is incorrect.

In my previous configuration I had a border device NATing to a downstream device running as my AMPRNet Gateway. When I first set it up, I had THE EXACT SAME ISSUE YOU ARE EXPERIENCING. I could only receive packets after first initiating them. When asking for advice, I continued to receive information that the iptables rules were correct...

THEY WERE NOT!!!

Why???

As you are receiving this traffic the router interface, IT IS CONSIDERED INPUT since there are no routing rule to forward the packet (this is only done the subsequent DNAT rule added to the iptables firewall).

This is an example from my DD-WRT device when I DNATed to a IPIP gateway downstream (so, this is a known working configuration):

# iptables -t filter -I INPUT -p 4 -i eth0.1 -j ACCEPT # iptables -t nat -I PREROUTING -p 4 -i eth0.1 -j DNAT --to-destination 192.168.0.11

Further, on the INPUT rule, you could use the -d argument and the IP address if your WAN interface has a static address.

Also, after I added this rule to my device, the issue Rob describes doesn't occur (except when I explicitly added a rule to block Pings).

73,

- Lynwood KB3VWG