Looking at your iptables rule you are very close the solution....
The iptables rule you've used it states 'all the packets sent to the firewall's eth0, to port 4000 should have changed destination address' and looks ok.
But you need also:
a. allow this packet to be forwarded
c. allow returning packet(s) to be forwarded back
So you need to add at least:
1. iptables -A FORWARD -j ACCEPT
2. set the kernel for packet forwarding with command 'echo 1 > /proc/sys/net/ipv4/ip_forward'
3. take care of the source address for the forwarded back packets (POSTROUTING with MASQUERADE or SNAT target).
Look: your rule changes the destination address. (The source is constat). So your internal box can see where to send 'response'. And the host which sent the request will get the 'response'. But it will ignore it since it will get it not from host it asked for. Therefore you need (3)
Of course, you can complicate above 'forward' and 'postrouting' rules. For instance you can block non-to-4000-port packets, trace them with '--state' switch etc.
BTW: 'Open' port means nothing else than accepting the packets sent to this port.
The iptables is very simple and logical. Read this