Iptables forward traffic from A to B where A is not gateway for B

I've been working on this same problem for a while now. The solution that seems to work for me (at least when I demoed it using VMs) wound up looking significantly different than what you have posted here.

Real quick, here are my configurations:

iptables -L:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -S:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

(Just to clarify, that last INPUT rule is to allow ssh access into Machine A.)

iptables -t nat -L:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

DNAT       tcp  --  anywhere             anywhere             tcp dpt:2222 to:192.168.0.200:22


Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

SNAT       tcp  --  anywhere             anywhere             tcp dpt:22 to:217.27.166.110

iptables -t nat -S:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.0.200:22
-A POSTROUTING -p tcp -m tcp --dport 22 -j SNAT --to-source 217.27.166.110

So, interestingly, I didn't need anything in the FORWARD chain, but it appears that the PREROUTING rule was enough to get the first packet from the client forwarded to Machine B.

iptables -t nat -A PREROUTING -i <external_interface> -p <tcp/udp> --dport <port_to_accept_connections_through> -j DNAT --to <destination_address:destination_port>

The problem, then, was the response packet getting lost by going through the Gateway. I didn't realize this until I Wiresharked the eth1 on Machine A and noticed that the source address on the packet bound for Machine B was still that of the client machine. I then used the POSTROUTING table to change the source address to Machine A's IP address on eth1 so that Machine B would know to send the response to Machine A and not the Gateway.

iptables -t nat -A POSTROUTING -p <tcp/udp> --dport <destination_port> -j SNAT --to <internal_IP_address_of_machine_a>

At this point, I was able to establish the connection from a client sitting on the same network as Machine A's eth0 interface to Machine B. While I'm not 100% sure how the firewall knew what to do with the response packets sent from Machine B to the client machine, I think the most likely reason is the rule in the INPUT chain that allows established connections through the firewall:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT