OK, these commands did the trick!
Apparently I only need these ones:
iptables -t nat -A zone_lan_prerouting -s 192.168.1.0/24 -d 95.237.136.248/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Web server HTTP (reflection)" -j DNAT --to-destination 192.168.3.10:80
iptables -t nat -A zone_lan_prerouting -s 192.168.1.0/24 -d 95.237.136.248/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Web server HTTPS (reflection)" -j DNAT --to-destination 192.168.3.10:443
The first 2 lines @trendy posted seem to be unnecessary to me, and the rules referring to 192.168.0.2 are related to my modem
interface, in this case I'm sure I don't need them.
My IP address is dynamic, but since /etc/firewall.user
is a shell script I could just fire up some commands and save my current address in a variable