Fixed it!
The instruction iptables -I FORWARD -i %i -m state --state NEW -j DROP says to drop any incoming packets that would be used to initiate a new connection, which I guess is the very definition of what you’d be listening for on your listening port. 
So, the additional iptables instructions in my first reply are unnecessary. I just needed to remove those PostUp and PostDown commands, and my conf works. I hope this can be helpful to someone else! 