Solved the port forwarding issue but still have some questions on iptables settings for snow flake proxy.
From the conntrack status obtained while snow flake proxy is trying to determine its NAT type, it seems to be expecting replying udp packets from a different host:port than the original destination host:port.
This is not only a NAT issue, even iptables would not track these unsolicited replies (from a different host:port) as RELATED and would thus drop them unless explicitly accepted.
To enable this kind of traffic pattern, I currently have to let iptables ACCEPT udp packets for the whole ephermeral range (32786 to 60999) with minimal filtering (a simple check that the packet contains the STUN magic cookie at offset 0x20) which seems way too permissive.
Is there a way to set up iptables so that it accepts udp packets destined to the originating ports used by snow flake (random ones within the 32768 60999 range) but not those packets that are destined to other ports which haven’t seen outgoing udp packet for a while?