iptables

How to write iptables rules correctly?

Question from a teapot in iptables.

Local network via mikrotik 192.168.10.0/24
Local web server 192.168.10.254:8000

Mikrotik accesses the Internet via VPS L2TP 192.168.42.1 <-> 192.168.42.10 . Internet locally works fine.

The VPS has NAT rules

[email protected]:~# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -d 95.181.155.97/32 -p tcp -m tcp - -dport 80 -j DNAT --to-destination 192.168.10.254:8000
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -m policy -- dir out --pol none -j MASQUERADE
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE

Rooted:
[email protected]:~# ip r
default via 95.181.155.1 dev eth0 onlink
95.181.155.1 dev eth0 proto kernel scope link src 95.181.155.97
192.168.10.0/24 via 192.168.42.10 dev ppp0
192.168.42. scope link src 192.168.42.1

From VPS to 192.168.10.254 passes. From any external request, I see an entry in the iptables logs, but kernel does not reach mikrotik

: IN=eth0 OUT= MAC=52:54:00:c7:c0:9e:00:1c:73:52:bc:33:08: 00 SRC=176.110.120.173 DST=95.181.155.97 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=63068 DF PROTO=TCP SPT=34896 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0