[andrewsoutar]

I'm trying to configure my Raspberry Pi as a router. It receives internet through a wifi dongle and acts as a DHCP and DNS server and gateway for a network it's connected to via ethernet (10.*.*.*). I have all this set up in iptables. Here is my iptables.rules:

$this->bbcode_second_pass_code('', '
# Generated by iptables-save v1.4.21 on Wed Jan 29 00:29:50 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.0.0.0/8 -o wlan0 -j MASQUERADE

COMMIT
# Completed on Wed Jan 29 00:29:50 2014
# Generated by iptables-save v1.4.21 on Wed Jan 29 00:29:50 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]

-A INPUT -p icmp -m icmp --icmp-type 8 -m recent --set --name ping-limiter --mask 255.255.255.255 --rsource
-A INPUT -p icmp -m icmp --icmp-type 8 -m recent --update --seconds 4 --hitcount 6 --name ping-limiter --mask 255.255\.255.255 --rsource -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -i eth0 -m tcp --dport 53 -j ACCEPT
-A TCP -p tcp -i eth0 -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -i eth0 -m tcp --dport 443 -j ACCEPT

-A UDP -p udp -i eth0 -m udp --dport 67 -j ACCEPT
-A UDP -p udp -i eth0 -m udp --dport 68 -j ACCEPT

-A fw-interfaces -i eth0 -j ACCEPT

COMMIT
# Completed on Wed Jan 29 00:29:50 2014
')

Now, I'm trying to port-forward DNS requests on the external (wifi) interface to my main server, 10.42.90.247. This works fine:
$this->bbcode_second_pass_code('', 'sudo iptables -A fw-open -p udp -d 10.24.90.247 --dport 53 -j ACCEPT')
However, when I run the next part,
$this->bbcode_second_pass_code('', 'sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j DNAT --to 10.24.90.247')
I get:
$this->bbcode_second_pass_code('', 'iptables: No chain/target/match by that name.')

I can do things like
$this->bbcode_second_pass_code('', 'sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j ACCEPT')
fine, so (as far as I can tell) the error must be referring to the DNAT part.

I can't find anything seemingly pertinent online, and I'm at a loss for what I'm doing wrong here.