求助：关于架设centos6 ikev2 vpn 服务iptables的问题

各位专家，大家好
我想求助关于加设centos ikev2 vpn服务中iptables的问题：
我架设一台centos6的ikev2 vpn 服务器，ip：192.168.200.28 ，可以正常上网。终端是win7 系统，终端可以正常拨入vpn ，但是去不能通过vpn上网，不知道是什么问题，我附上centos iptables的配置，请各位专家指正，谢谢

# Generated by iptables-save v1.4.7 on Fri Dec 18 03:06:08 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [226:29474]
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.31.2.0/24 -p gre -j ACCEPT
-A FORWARD -s 10.31.2.0/24 -p gre -j ACCEPT
-A FORWARD -s 10.31.2.0/24 -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -s 10.31.2.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.31.2.0/24 -j ACCEPT
-A FORWARD -d 10.31.2.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Dec 18 03:06:08 2015
# Generated by iptables-save v1.4.7 on Fri Dec 18 03:06:08 2015
*nat
:PREROUTING ACCEPT [167:23532]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:120]
-A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.31.2.0/24 -o eth0 -j SNAT --to-source 192.168.200.28
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Fri Dec 18 03:06:08 2015