A couple of thoughts...
You don't need the
-d definition in the PREROUTING unless you have more than 1 ip number on the interface
Which rules precede this one?
Specific rules like this should be in the beginning of the ruleset rather than
-A adding them to the end...
Practise using
-j LOG entries before each DNAT, eg
-A PREROUTING -i eth0 -p tcp --dport 407 -j LOG --log-prefix "nat_in " to watch that packets are arriving
Packets can still die later in the FORWARD chain...
Make sure there is a rule to allow this port, eg
-I FORWARD 3 -p tcp --dport 407 -d 10.10.1.243 -j ACCEPT
Of course, just adding these rules can break your firewall too, depending on the existing rulesets.
If you have edited
/etc/sysconfig/iptables directly, be aware there is a special syntax it expects and
DNAT --to is not correct there.
Always better to do it from a command line until you are satisfied it works, then do
service iptables save to keep them stored. The command line adds the rule immediately whereas /etc/sysconfig/iptables additions require iptables to be restarted to activate the rules.
A recommended
tutorial.