..., but you also need a return path from the server to remote client.
Not really, that's what conntrack is for, if there's NAT in one direction, it automatically takes care about the other one.
Filter rules from few posts back don't block it either, the only blocking rule is #6, but it does not apply to dstnated packets.
Anyway, this should be extremely easy to debug, especially for someone who can use Wireshark. Do the similar at router (either use Tools->Torch in interfaces or add logging rules in prerouting/forward/postrouting chains). When you connect from <outside client> to <public IP>:49068, you must see:
- packet from <outside client>:<some port> to <public IP>:49068 in prerouting
- packet from <outside client>:<some port> to 192.168.10.200:6000 in forward and postrouting (where the outgoing interface must be <LAN interface>
If this all works, the problem is not in router. Most likely 192.168.10.200 does not allow packets from non-LAN addresses or doesn't have correct default gateway.