I think my third point is more understandable if I say it this way:

3. every forwarded packet was DNATed at PREROUTING and SNATed at POSTROUTING

I am using this preroute and postroute for one configuration I want to make, so to make one PC in my LAN to use an external proxy for all its traffic.

I use this:
INTERNAL_NETWORK=10.1.1.0/24
LAN=br-lan
LANIP=10.1.1.1
SQUIDIP=200.40.180.2
SQUIDPORT=8888
iptables -t nat -A prerouting_rule -i $LAN -s ! $SQUIDIP -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT
iptables -t nat -A postrouting_rule -o $LAN -s $INTERNAL_NETWORK -d $SQUIDIP -j SNAT --to $LANIP
iptables -A forwarding_rule -s $INTERNAL_NETWORK -d $SQUIDIP -i $LAN -o $LAN -p tcp --dport $SQUIDPORT -j ACCEPT


this routes everything ok when it goes to port 80. But I want it to work with EVERY port.
the idea is to get all internet traffic originated by the ip 10.1.1.1 to go through the proxy server 200.40.180.2

I wonder if someone can help me get this config working.

thanks a lot!

a nice server and firewall scenario to understanding the topic > digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables