There is a difference in making TCP port redirection via iptables/nftables/pf firewall NAT and via a dedicated TCP tunnel process, such as socat.
Let's say we face the setup -- firewall A, server B, and -- server B has a defaultroute elsewhere, not via firewall A
In case of tcp tube, the connection from a firewall goes via socat with the source address of LAN of the firewall. Server B sees A's
LAN address and sends data back there happily.
In case of nat redirection, the connection via filewall A comes from external addresses to server B, and it replies to that external address via server's B defaultroute (and in case it is elsewhere this connection cannot be established: even it sends packets to the source, they are coming from another IP).
I wish there had been someone several years ago that could explain that to me ;-)
