I have a LXC container (10.0.3.2) running on a host. A service is running inside the container on port 7000.

From the host (10.0.3.1, lxcbr0), I can reach the service:

$ telnet 10.0.3.2 7000
Trying 10.0.3.2...
Connected to 10.0.3.2.
Escape character is '^]'.

I'd love to make the service running inside the container accessible to the outer world. Therefore, I want to forward port 7002 on the host to port 7000 on the container:

iptables -t nat -A PREROUTING -p tcp --dport 7002 -j DNAT --to 10.0.3.2:7000

Which results in (iptables -t nat -L):

DNAT   tcp  --  anywhere     anywhere     tcp dpt:afs3-prserver to:10.0.3.2:7000

Still, I cannot access the service from the host using the forwarded port:

$ telnet 10.0.3.1 7002
Trying 10.0.3.1...
telnet: Unable to connect to remote host: Connection refused

I feel like I'm missing something stupid here. What things should I check? What's a good strategy to debug these situations?

For completeness, here is how iptables are set on the host:

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o lxcbr0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 7002 -j DNAT --to 10.0.3.2:7000