iptables -A INPUT -i eth0 -p tcp --dport 8000 -j ACCEPT

This is the rule that skips

Here the feature is that after REDIRECT the packet does not go through the PREROUTING chain further or again. Therefore, you can do this: mark the packet in PREROUTING and drop the marked packets into INPUT.

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 8000 -j MARK --set-mark 1
iptables -I INPUT  -i eth0 -m mark --mark 1 -j DROP

Rule you have
you can’t clean it up, because the packet then goes to the INPUT chain, where it drops (you have a default policy of DROP) without this rule. However, tagged packets must be dropped before it, otherwise it will skip them (hence the "-I" flag in the rule above, which you might want to change by putting the rules in order).
Another way: you can hang up a web server on localhost and use DNAT, but for this you also need net.ipv4.conf.all.route_localnet=1, otherwise the packet will be dropped (martian packet).

Good afternoon!
Now let's get back to our parrots...
Torments and tests showed what should be left and what should be removed, as a result, I have this miracle:

#!/bin/sh
# Очищаем предыдущие записи
iptables -F
# Установка политик по умолчанию
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Разрешаем локальный интерфейс и внутреннию сеть
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
# Отбрасываем кривые пакеты
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Блокирование DDoS по 80 порту веб-сервера
iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m state --state NEW -m recent --name ddos --set
iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m state --state NEW -m recent --name ddos --update --seconds 60 --rttl --hitcount 100 -j DROP
# Защита от спуфинга
iptables -I INPUT -i eth0 -m conntrack --ctstate NEW,INVALID -p tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
# Защита от попытки открыть входящее соединение TCP не через SYN
iptables -I INPUT -i eth0 -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
# Закрываемся от кривого icmp
iptables -I INPUT -i eth0 -p icmp -f -j DROP
# REL, ESTB allow
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Разрешаем получать данные от DHCP-сервера. (Allow DHCP)
iptables -A INPUT -i eth0 -p UDP --dport 68 --sport 67 -j ACCEPT
# Блокирование доступа тем, кто превышает заданное количество подключений
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --update --seconds 3600 --hitcount 5 -j REJECT
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --set -j ACCEPT
# Пресечение попыток взлома сервисов
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --update --seconds 3600 --hitcount 8 -j REJECT
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --set
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh ! --rcheck --seconds 15 --hitcount 2 -j REJECT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Открытые порты
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8443 -j ACCEPT
# Перенаправление
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 3011 -j MARK --set-mark 1
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3011
iptables -I INPUT  -i eth0 -m mark --mark 1 -j DROP
# Разрешение главных типов протокола ICMP
iptables -A INPUT -i eth0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type 12 -j ACCEPT
#Разрешить ICMP запросы для ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
# Просмотр
# iptables -L --line-number
echo
echo "Adding DONE, maybe OK, you maybe free - goodbye!"
echo "Now Save it!"
service iptables save
echo
service iptables restart
echo "Ready!?"

But!!! It is necessary for me that from port 443 everything also goes to the specified port 3011. So far I have not been able to successfully solve this. And also put the rules in the right order. I need help with this.
Suggestions for improvement and optimization are also accepted. I think this will be useful for many.