SuseFirwall2 FW_REDIRECT="0/0,0/0,<protocol>,<dPORT>,<lPORT>" don't redirect any inet interfaces

/etc/sysconfig/SuSEfirewall2.d/services/dc-server

## Name: Direct Connect server (PtokaX)
## Description: Opens ports for P2P Direct Conect server PtokaX
TCP="411 666"
UDP="411 666"
FW_REDIRECT="0/0,0/0,tcp,411,4111 0/0,0/0,udp,411,4111 0/0,0/0,tcp,666,6666 0/0,0/0,udp,666,6666"

Outside redirect is work and server is available, but inside redirection does not work.

telnet localhost|domain|IP 411
Trying 127.0.0.1|IP...
telnet: connect to address 127.0.0.1|IP: Connection refused

1 Why is this happening? What blocks the localhost and the external network interface of FW_REDIRECT rules? How to fix it, that would rule FW_REDIRECT worked not only outside, but also even be for the hostname, pointing to external IP network interface.
P.S. Instead 0/0,0/0,… I tried and 0/0,127.0.0.0/8,… and 0/0,IP/32,… but the result

telnet localhost|hostname|IP 411

is has no effect, and even if affected, then specify IP in config is not good for this and there is 0/0, which would indicate ALL addresses, not on ALL BUT internal and external network interfaces.

2 Is it possible to reduce FW_REDIRECT rules combining protocols and/or ports?

(Speculating)

Probably somewhere before the entries you posted,
Interfaces are defined, and your rules are being applied only to the external interface.

The loopback interface (127.x.y.z) is a completely different interface, so depending on how your rules are applied may not be affected by your rule.

If you aren’t able to figure out what is happening, the entire IP Tables config will need to be posted, not just the snippet.

TSU

Is it?
sudo iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward_ext
-N input_ext
-N reject_func
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p igmp -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 443 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3030:3033 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 3030:3033 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 411 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 411 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 666 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 666 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8200 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8200 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 993 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 995 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 4046 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 4046 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 6600 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 6600 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8000 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 23420 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 23420 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 25 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 587 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 9999 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 10000 -j ACCEPT
-A input_ext -p udp -m udp --dport 3030:3033 -j ACCEPT
-A input_ext -p udp -m udp --dport 411 -j ACCEPT
-A input_ext -p udp -m udp --dport 666 -j ACCEPT
-A input_ext -p udp -m udp --dport 1900 -j ACCEPT
-A input_ext -p udp -m udp --dport 1234 -j ACCEPT
-A input_ext -p udp -m udp --dport 123 -j ACCEPT
-A input_ext -p udp -m udp --dport 23420 -j ACCEPT
-A input_ext -p udp -m udp --dport 9999 -j ACCEPT
-A input_ext -p udp -m udp --dport 10000 -j ACCEPT
-A input_ext -p udp -m udp --dport 10001 -j ACCEPT
-A input_ext -p udp -m udp --dport 10002 -j ACCEPT
-A input_ext -m limit --limit 3/min -m mark --mark 0x1 -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-ACC-REDIR " --log-tcp-options --log-ip-options
-A input_ext -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m mark --mark 0x1 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable

Or it?
sudo iptables -nL

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
input_ext  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain forward_ext (0 references)
target     prot opt source               destination         

Chain input_ext (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     2    --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpts:3030:3033 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:3030:3033
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:411 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:411
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:666 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:666
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:8200 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8200
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:993 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:995 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:4046 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:4046
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:6600 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6600
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:8000 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:23420 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23420
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:587 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:9999 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9999
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:3030:3033
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:411
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:666
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1900
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1234
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:123
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:23420
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:9999
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:10000
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:10001
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:10002
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 mark match 0x1 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-ACC-REDIR "
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW,RELATED,ESTABLISHED mark match 0x1
DROP       all  --  0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
DROP       all  --  0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
LOG        icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
LOG        udp  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain reject_func (0 references)
target     prot opt source               destination
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable

After thinking about your situation a bit,

It should be noted that by default nothing should be blocked (everything is allowed) on the localhost interface, and that rule is in place in what you posted. No rule should be necessary to “allow” any kind of traffic on your localhost interface by default.

That suggests to me that the problem likely isn’t in your firewall rules but in your application (torrent app) configuration.

Where is your torrent app? Is there a reason why your rule is forwarding and not just allowing?

TSU

My torrent app is qBitTorrent 9999 tcp/udp ports i’m disable it durring test and reload firewall and PtokaX, but no effect.
How can affect qBitTorrent I do not understand, even in theory.

411 and 666 ports are used for p2p application DC++ Hub, which launched from unprivileged users on ports 4111 and 6666, respectively.
These elementary via telnet and/or DC-client I can connect locally on ports 4111 and 6666.

I did not chenged a firewall configuration, except for the appointment of the external network interface to external zone, and create and link service-file to open ports and protocols for external zone.
The network is configured statically via systemd-networkd.
If you need more some of my configuration files, and tell me exactly what I give them.

/etc/sysconfig/SuSEfirewall2

FW_DEV_EXT="enp0s10 enp0s16 ppp0 wlp5s0"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV=""
FW_MASQ_NETS=""
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="apache2  apache2-ssl dc-client dc-server dlna dovecot igmp mednafen mpd ntp  skype smtp smtp.rpmsave sshd torrent"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=""
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW=""
FW_ALLOW_PING_DMZ=""
FW_ALLOW_PING_EXT=""
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_ZONE_DEFAULT=''
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_WRITE_STATUS=""
FW_RUNTIME_OVERRIDE=""
FW_LO_NOTRACK=""
FW_BOOT_FULL_INIT="no"

/usr/lib/systemd/network/ethernet.network

[Match]
Name=en*

[Link]
MACAddress=00:AA:BB:CC:DD:EE

[Network]
Description=Ethernet
#DHCP=ipv4
DHCP=no
Address=178.150.103.17/24
Gateway=178.150.103.254
DNS=8.8.8.8
DNS=109.86.2.2

[DHCP]
RouteMetric=10

I had to try to figure out what PtokaX is first.
Even after visiting the website, skimming through the screenshots and watching a couple YouTube videos, I’m not sure if I know or sure what it is.

It calls itself a “Direct Connect Hub” which isn’t descriptive enough to me, and there’s no adequate technical description so I’m guessing…
I think it’s a private network of nodes (aka hubs) for the purpose of setting up a private network between authenticated Users.
If this is the case, then it has some resemblance to a proxy while not really conforming to common proxy methods and standards.

The big thing that jumped out at me is that it looks like PtokaX has a Network Re-direction configuration.
I’d recommend you use that to do any re-direction/routing between IP addresses on your machine instead of IPtables forwarding. If that works, it’s much easier than what you’re doing now.

In fact, I suspect that the following would be simplest…
Configure PtokaX to do a “network re-direct” to your loopback address (127.0.0.1), you can keep the same or change port, it isn’t important (recommend keep the port the same for simplicity).
Then configure your Torrent application on the loopback address, listening on the specified port.
Your IPTables should contain a tcp and udp “allow” rule for the specified port on the external address only(Not a FORWARD rule as you’re doing now), no need to create any special rule for your loopback address.

Everything then should “just work.”
I’ve configured something similar many times using other applications in the past so hope your Ptoka and QBtorrent should be no different.

TSU