NAT. iptables does NAT for you. Without NAT the gateone does not know where
to send the replies to, because it does not know a route to crooked. With NAT
on gateone thinks that slick is talking to it, and slick knows to return replies to crooked.
Remove the bogus rules from your iptables and leave only the:
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
Your default rules are ACCEPT, and since you don’t REJECT anything
all those rule evaluations are wasted cycles. What you will be left with is
almost no „iptables“, just the necessary masquerade.