IPTables & Masquerading

[marcuk03]

Ok so here is the scenario-
I have a centos 6.5 (server1) acting as router which forwards / NAT's all of my traffic onto another server. (server2)

I have some devices that are sat on the internet on modems with dynamic IP's.
I am forwarding all traffic from these devices coming in and this is working perfectly.
One thing I do know is their ports so I am using the following rules to forward/NAT this traffic to another server.

Where '555' & '666' are the known ports for my devices.
'123' = NTP port
2.2.2.2 = server2


[root@ip-1.1.1.1 sysconfig]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:555 to:2.2.2.2:555
2 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:666 to:2.2.2.2:666
3 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 to:2.2.2.2:123

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

The problem I have is that I cannot pickup any NTP time source from either the internet or from server 2 when these rules are in place.
You'll note that im trying to send port 123 UDP to my server2 as well as it is running NTP

The masquerade seems to be stopping it working but ive no idea how to filter (the masquerade) to ignore NTP traffic? (UDP 123)
if I turn off iptables temporarily it syncs NTP fine from either the internet or server 2