I'm trying to achieve a 1:1 NAT using Raspbian (on Raspberry Pi) so a SCADA system can see a PLC on a different network.
Since I'm a 100% beginner I've just done the basics.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -d 172.16.254.100 -i eth1 -j DNAT --to-destination 86.26.48.20
iptables -t nat -A POSTROUTING -s 86.26.48.20 -o eth1 -j SNAT --to-source 172.16.254.100
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

The PLC is 86.26.48.20, gateway 86.26.48.1
The Raspberry Pi has eth0 86.26.48.1, gateway 86.26.48.1,
eth1 172.16.254.100, gateway 172.16.254.1
Laptop 172.16.254.88, gateway 172.16.254.99

The strange thing is the laptop can ping the PLC with only the PREROUTING line (before the POSTROUTING line is typed in) and 'software' can go online to the PLC. The trouble is the SCADA will not connect.
Wireshark on the laptop shows a pattern of red lines whose subject is "Ethernet/IP-2" with the RST as 1 (I believe this is highlighting a problem?) as the response from the Pi.

If I set the gateways to treat the Pi as a normal router (not NAT) then the SCADA connects.

I want to be able to connect to the PLC as though it sat on the 172.16.254.xxx network and not have the laptop see the Pi as a gateway. Don't care about firewalls or any of that stuff merely want a NAT device (like Rockwell 9300-NAT)

Any ideas how to move forward with this or just pointers as to how to test anything (tried logging but it baffled me more)