来自路由器的包与 iptables dnat 规则不匹配

我有以下规则将端口 443 从外部转发到内部主机：

IF_INET=ppp0
IF_INET_IP=1.2.3.4    # Router External IP
IF_LAN_IP=192.168.0.1 # Router Internal IP
IF_LAN_NET=192.168.0.0/24
VPN_HOST=192.168.0.2  # Internet Host with a HTTPS Webserver

iptables -t nat -A PREROUTING -d $IF_INET_IP -p tcp --dport 443 -j DNAT --to $VPN_HOST
iptables -A FORWARD -i $IF_INET -o $IF_LAN -p tcp -d $VPN_HOST --dport 443 -j ACCEPT

该服务也可以从内部访问，我还有一个 snat 规则：

iptables -t nat -A POSTROUTING -d $VPN_HOST -p tcp --dport 443 -s $IF_LAN_NET -j SNAT --to $IF_LAN_IP

现在的问题是，当我想从路由器本身打开 dns 地址（指向 $IF_INET_IP）时，其中 iptables 正在执行 nat，这些数据包不会转发到内部主机。

我定义了以下规则来追踪问题：

iptables -t raw -A OUTPUT -p tcp -d $IF_INET_IP --dport 443 -j TRACE

并得到这个：

TRACE: raw:OUTPUT:rule:6 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: raw:OUTPUT:policy:7 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: nat:OUTPUT:policy:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: filter:OUTPUT:rule:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: nat:POSTROUTING:policy:4 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: raw:PREROUTING:rule:4 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: raw:PREROUTING:rule:6 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: raw:PREROUTING:policy:7 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: mangle:PREROUTING:policy:1 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: mangle:INPUT:policy:1 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: filter:INPUT:rule:2 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)

安迪，我该怎么做？