iptables 无法匹配 https 流量

我有一个带有定制 openwrt 操作系统的 WiFi 路由器（小米 HD），我添加了一些 iptables 规则试图计算 https 流量，但似乎规则无法匹配 https 流量。以下是（路由器上的）规则：

root@XiaoQiang: iptables -nvxL FORWARD
Chain FORWARD (policy ACCEPT 22 packets, 3134 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       4     1668            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443
       7      713            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
      22     3134            all  --  *      *       0.0.0.0/0            0.0.0.0/0          

我使用以下方式发起了 https 流量（在笔记本电脑上）：

xxx-Pro:traffic_statistics user$ wget https://downloads.openwrt.org/releases/18.06.1/targets/ipq806x/generic/packages/libc_1.1.19-1_arm_cortex-a15_neon-vfpv4.ipk
root@xxx# ll libc_1.1.19-1_arm_cortex-a15_neon-vfpv4.ipk
-rw-r--r--@ 1 tengjp  staff  226903  8 17 19:46 libc_1.1.19-1_arm_cortex-a15_neon-vfpv4.ipk

并且成功了，但是 iptables 计数器似乎与下载的文件的大小不匹配。

如果我为端口 443 添加拒绝规则，它确实匹配该规则，并且 wget 甚至无法建立连接（在笔记本电脑上）：

xxx-Pro:traffic_statistics user$ wget https://downloads.openwrt.org/releases/18.06.1/targets/ipq806x/generic/packages/libc_1.1.19-1_arm_cortex-a15_neon-vfpv4.ipk
--2019-01-22 15:29:50--  https://downloads.openwrt.org/releases/18.06.1/targets/ipq806x/generic/packages/libc_1.1.19-1_arm_cortex-a15_neon-vfpv4.ipk
 downloads.openwrt.org (downloads.openwrt.org)... 148.251.78.235
connecting downloads.openwrt.org (downloads.openwrt.org)|148.251.78.235|:443... 

failure：Operation timed out。
retrying

--2019-01-22 15:31:06--  (retry times： 2)  https://downloads.openwrt.org/releases/18.06.1/targets/ipq806x/generic/packages/libc_1.1.19-1_arm_cortex-a15_neon-vfpv4.ipk
connecting downloads.openwrt.org (downloads.openwrt.org)|148.251.78.235|:443... failure：Operation timed out。
retrying

// on router
root@XiaoQiang: iptables -nvxL FORWARD
Chain FORWARD (policy ACCEPT 91 packets, 10410 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
      95     5399 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 reject-with icmp-port-unreachable
       7      312            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443
      84     4713            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
     157    15471            all  --  *      *       0.0.0.0/0            0.0.0.0/0 

还尝试了 http 流量，运行正常。

路由器操作系统信息：

root@XiaoQiang:/userdisk# uname -a
Linux XiaoQiang 3.4.103 #1 MiWiFi-R3D-2.29.4 SMP PREEMPT Thu Dec 13 08:44:30 UTC 2018 armv7l GNU/Linux
root@XiaoQiang:/userdisk# iptables -v
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
root@XiaoQiang:/userdisk# cat /proc/version 
Linux version 3.4.103 (jenkins@f408c3ab886a) (gcc version 4.8.5 (crosstool-NG crosstool-ng-1.22.0) ) #1 MiWiFi-R3D-2.29.4 SMP PREEMPT Thu Dec 13 08:44:30 UTC 2018
root@XiaoQiang:/userdisk# cat /etc/openwrt_release 
DISTRIB_ID="QSDK"
DISTRIB_RELEASE="IPQ806X.LN"
DISTRIB_REVISION="unknown"
DISTRIB_CODENAME="standard"
DISTRIB_TARGET="ipq806x/MiWiFi"
DISTRIB_DESCRIPTION="QSDK Standard IPQ806X.LN"

尝试使用具有不同操作系统版本的另一个路由器，http 和 https 均可在相同的 iptables 规则下正常运行：

Linux PandoraBox 3.14.44 #7 Mon Jun 8 22:23:15 CST 2015 mips GNU/Linux
iptables v1.4.21

任何建议都值得赞赏！