Adding a defeat for a DNAT rule to allow SSH packets to hit the local box

I've been using SSH to pump packets down a VPN like this:

iptables -A PREROUTING -t nat -d $external_ip -j DNAT --to-destination $tun
iptables -A POSTROUTING -t nat -s $tun -o eth0 -j SNAT --to-source $external_ip

The problem is I need SSH packets to hit the local interface (i.e. not go down the VPN). Solution: add a REDIRECT rule before the DNAT in the PREROUTING chain:

iptables -A PREROUTING -t nat -d $external_ip -p tcp --dport 22 -j REDIRECT

The REDIRECT target sends to localhost (really the same as DNAT with --to-destination 127.0.0.1).