Iptables – (dnat|redirect) with masquerade doesn’t work

I have a problem, till a bit ago it was working just fine. but now, it doesn't work, but on another testing server it works just fine

I force all traffic to tor, and this part works just fine.
Problem is on masquerade I think as it not change the dnat/redirect port 9040 to the origin port 80/443 back after receive response

• http://ipinfo.io:9040

• Software:

  • 1.6.1-2ubuntu2
  • ubuntu 16.04/18.04 the same result
  • tor 0.3.2.9-1build1

• Networking

  • virbr1 – 192.168.2.0/24 – host only
  • eno1 – 192.168.1.0/24 – internet

• Iptables:

  • /sbin/iptables -t nat -A POSTROUTING -o virbr1 -j MASQUERADE
  • /sbin/iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE # on another server works without that, this was just for testing
  • /sbin/iptables -t nat -A PREROUTING -p udp –source 192.168.2.6 ! –destination 192.168.2.1 -j DNAT –to-destination 192.168.2.1:9040 # tested REDIRECT –to-ports 9040, the same


*filter
:INPUT ACCEPT [174876:86417485]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [170612:89138010]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -d 192.168.2.8/32 -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -s 192.168.2.8/32 -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A OUTPUT -s 192.168.2.8/32 -j DROP
COMMIT
# Completed on Tue Feb 20 09:32:11 2018
# Generated by iptables-save v1.6.1 on Tue Feb 20 09:32:11 2018
*nat
:PREROUTING ACCEPT [193:19723]
:INPUT ACCEPT [193:19723]
:OUTPUT ACCEPT [129:12889]
:POSTROUTING ACCEPT [124:11792]
:DOCKER - [0:0]
-A PREROUTING -s 192.168.2.8/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.2.1:5353
-A PREROUTING -s 192.168.2.8/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.2.1:5353
-A PREROUTING -s 192.168.2.8/32 ! -d 192.168.2.1/32 -p tcp -j DNAT --to-destination 192.168.2.1:9040
-A PREROUTING -s 192.168.2.8/32 ! -d 192.168.2.1/32 -p udp -j DNAT --to-destination 192.168.2.1:9040
-A POSTROUTING -o tun5 -j MASQUERADE
-A POSTROUTING -o virbr1 -j MASQUERADE
COMMIT
# Completed on Tue Feb 20 09:32:11 2018
# Generated by iptables-save v1.6.1 on Tue Feb 20 09:32:11 2018
*mangle
:PREROUTING ACCEPT [3538365:1832890486]
:INPUT ACCEPT [3538362:1832890258]
:FORWARD ACCEPT [3:228]
:OUTPUT ACCEPT [3495644:1711746305]
:POSTROUTING ACCEPT [3496898:1711973811]
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT


• /proc/sys/net/ipv4/ip_forward is set to 1

• Monitoring with conntrack -L

  • tcp 6 431973 ESTABLISHED src=192.168.2.6 dst=172.217.16.4 sport=49215 dport=443 src=192.168.2.1 dst=192.168.2.6 sport=9040 dport=49215 [ASSURED] mark=0 use=1
  • tcp 6 431983 ESTABLISHED src=192.168.2.6 dst=104.81.60.33 sport=49226 dport=80 src=192.168.2.1 dst=192.168.2.6 sport=9040 dport=49226 [ASSURED] mark=0 use=1
  • tcp 6 431972 ESTABLISHED src=192.168.2.6 dst=64.233.184.154 sport=49211 dport=443 src=192.168.2.1 dst=192.168.2.6 sport=9040 dport=49211 [ASSURED] mark=0 use=1
  • tcp 6 431972 ESTABLISHED src=192.168.2.6 dst=54.192.185.106 sport=49216 dport=80 src=192.168.2.1 dst=192.168.2.6 sport=9040 dport=49216 [ASSURED] mark=0 use=1
  • tcp 6 431973 ESTABLISHED src=192.168.2.6 dst=216.58.208.46 sport=49194 dport=80 src=192.168.2.1 dst=192.168.2.6 sport=9040 dport=49194 [ASSURED] mark=0 use=1
  • tcp 6 74 TIME_WAIT src=192.168.2.6 dst=178.255.83.1 sport=49190 dport=80 src=192.168.2.1 dst=192.168.2.6 sport=9040 dport=49190 [ASSURED] mark=0 use=1

PS on another server with the same OS, iptables version, iptables rules it works just fine

Thanks in advance