iptables

How to do proper port forwarding through iptables in centos?

Hello! I'm still just learning centos and trying to deal with a seemingly simple task.
Previously, on the same server there was both AD and Hosting, and a mountain of everything. It was decided to allocate a new server for hosting and assign a white ip.
On the second server, NOD 32 remained, which was accessed via port 2221 to download updates.
It is necessary to make it so that when a request is made to 1.2.3.4:2221, it is redirected to 1.2.3.5:2221.
What I have tried:
-A PREROUTING -p tcp -d 1.2.3.4/32 --dport 2221 -j DNAT --to-destination 1.2.3.5:2221
-A FORWARD -d 1.2.3.5/32 -p tcp -m tcp --dport 2221 -j ACCEPT
Network map:

iptables

Generated by iptables-save v1.4.7 on Wed Feb 4 13:06:28 2015
nat
:PREROUTING ACCEPT [445:35874]
:POSTROUTING ACCEPT [201:12052]
:OUTPUT ACCEPT [201:12052]
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 2221 -j DNAT --to-destination 1.2.3.5:2221
-A POSTROUTING -d 1.2.3.5:2221 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4
iptables


COMMIT
# Completed on Wed Feb 4 13:06:28 2015
# Generated by iptables-save v1.4.7 on Wed Feb 4 13:06:28 2015
filter
:INPUT DROP [70:5549]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1859:1537954]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 1.2.3.5/32 -j ACCEPT
-A INPUT -s 192.168.0.5/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 188.234.250.167/32 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT

ifconfig

eth0 Link encap:Ethernet HWaddr 00:15:17:53:DB:90
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe53:db90/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:405335 errors:0 dropped:0 overruns:0 frame:0
TX packets:168104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40001441 (38.1 MiB) TX bytes:44595393 (42.5 MiB)
Interrupt:18 Memory:78820000-78840000

eth1 Link encap:Ethernet HWaddr 00:15:17:53:DB:91
inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe53:db91/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3022790 errors:0 dropped:0 overruns:0 frame:0
TX packets:4474972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:464511566 (442.9 MiB) TX bytes:5637706969 (5.2 GiB)
Interrupt:19 Memory:78800000-78820000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:7155004 errors:0 dropped:0 overruns:0 frame:0
TX packets:7155004 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10714272576 (9.9 GiB) TX bytes:10714272576 (9.9 GiB)

sysctl

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

I really hope for your help, thanks in advance for all the advice!