Routing a port through a machine that's not the default router

I have an OpenVPN machine on my network that hosts a VPN, but it is not the default router for the network. I wanted to forward a port for the OpenVPN clients so that they could see another machine on the local network. To do this requires a number of steps.

First, the machine that they'll be connecting to needs a default route added for the OpenVPN network, or the packets will never return. My OpenVPN network is and my local network is in these examples. The OpenVPN server is and on tun0 and eth0 respectively; the machine I want my OpenVPN clients to be able to connect to on port 6666 is

route add -net netmask gw dev eth0

This allows the server to return TCP. Of course, the machine must have its firewall set to allow port 6666 in, but that's simple.

Then, the OpenVPN server needs its forwarding enabled. The commands that worked for me were:

iptables -t nat -A PREROUTING -p tcp --dport 6666 -j DNAT --to
iptables -A FORWARD -p tcp -s --sport 6666 -j ACCEPT
iptables -A FORWARD -p tcp -d --dport 6666 -j ACCEPT

This allows the communication in, and the response back out. I had also added these lines to my INPUT and OUTPUT chains; I'm not sure if they were needed:

iptables -A firewall-input -p udp --dport 6666 -j ACCEPT
iptables -A firewall-output -p tcp -m state --state NEW -m tcp --dport 6666 -j ACCEPT

If not, they don't hurt anything.