Now for a long long time I have been perplexed by why my firewall never works on my linux boxes on initial boot.
When you run iptables --list is shows all the rules but never works until you run it again under the root account. Now I finally got around to finding out why and its because the ipv4 forwarding is being reset somewhere down the boot chain. Yep I found it, what you need to do is edit /etc/sysctl.conf and change the net.ipv4.ip_forward = 1 as this is set to 0 by default and switches off all forwarding used in any firewall script.
Now I did have the forwarding set in the script but the sysctl appears to run after all the startup processes.
Hope this helps as it certainly has been puzzling me for sometime.