Consegui resolver esse problema com sua ajuda.
Teve que adicionar regras adicionais para entrada e saída sobre eth1 e alterar a condição PREROUTING para corresponder apenas ao ip 192.168.1.5 em vez de adicionar uma regra.
A abordagem de roteamento com
ip rule add from 192.168.1.5/32 tabela DIRECT
fez com que todo o tráfego de 192.168.1.5 passasse pela eth1 em vez de apenas pela porta 900-999.
A configuração final é assim:
# Always accept loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
/sbin/iptables -A FORWARD -i eth2 -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
# Masquerade.
/sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
/sbin/iptables -A FORWARD -i tun0 -o tun0 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Port exceptions
# Added -s for source address 192.168.1.5 here
iptables -t mangle -A PREROUTING -s 192.168.1.5 -p tcp --dport 900:999 -j MARK --set-mark 1
ip route add default via 192.168.2.1 dev eth1 table DIRECT
ip rule add from all fwmark 1 table DIRECT
Obrigado novamente por sua ajuda.