PREROUTING rule so that traffic coming to a particular public IP port is routed to your internal machine.

DNAT the traffic to your internal machine
Internal machine FILTER rules should not block the incoming traffic .

sudo iptables -t nat -I PREROUTING 1 -d 85.234.65.57 -p tcp -m multiport –dports 80,443
-j DNAT –to 10.20.0.13
!
sudo iptables -I FORWARD 33 -d 10.20.0.13 -p tcp -m multiport –dports 80,443 -j ACCEPT
sudo iptables -I FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

RELATED,ESTABLISHED will take care of any return packets.
Accept packets to webservers (http and https) in the FORWARD chain.

Create additional chain within FORWARD chain to jump to another chain.
This configuration is organizing chain to required service or naming ACL.

Create a chain :

sudo iptables -N ahdb_network

Create FORWARD rule to jump to ahdb_network :

sudo iptables -I FORWARD 1 -s 128.0.0.0/8 -d 128.0.0.0/8 -j ahdb_network
sudo iptables -I FORWARD 1 -s 128.0.0.0/8 -d 10.0.0.0/16 -j ahdb_network
sudo iptables -I FORWARD 1 -s 10.0.0.0/16 -d 128.0.0.0/8 -j ahdb_network

ahdb_network Chain :

sudo iptables -I ahdb_network 1 -s 128.0.0.0/8 -d 128.0.0.0/8 -j ACCEPT
sudo iptables -I ahdb_network 2 -s 128.10.0.0/16 -d 10.0.0.0/16 -j ACCEPT
sudo iptables -I ahdb_network 3 -s 128.20.0.0/16 -d 10.0.0.0/16 -j ACCEPT
sudo iptables -I ahdb_network 4 -s 10.0.0.0/16 -d 128.10.0.0/16 -j ACCEPT
sudo iptables -I ahdb_network 5 -s 10.0.0.0/16 -d 128.20.0.0/16 -j ACCEPT
Intersite VPN Connectivity :

iptables -I FORWARD 63 -o eth0 -s 10.20.0.0/16 -d 10.20.21.1/32 -p tcp -m tcp
--dport 3389 -j Priory_Vets_Group
!
iptables -I FORWARD 64 -o eth0 -s 10.20.21.1/32 -d 10.20.0.0/16 -p tcp -m tcp
--sport 3389 -j Priory_Vets_Group
!
iptables -I Priory_Vets_Group 1 -d 10.20.0.0/16 -j ACCEPT
iptables -I Priory_Vets_Group 2 -d 10.20.21.1/32 -j ACCEPT