Why not it is forwarding the port?

Good day.
I got the legacy servers with KVM and iptables configured.
I admit I'm in this business to actively respond to, but unfortunately the holes in knowledge are still patching and patching. And as evil fell the task I need done quickly.
The essence of the following.
1) Made a virtual machine with Windows2016 address 10.10.20.121
2) Lifted on it the terminal server, and tested from the LAN, everything works and connects.
3) we have there a file firewall.sh in which I have added the lines
iptables-t nat -A PREROUTING policy -p tcp --dport 19999 -s 89.189.172.47 -j DNAT --to-destination 10.10.20.121:3389
iptables-t nat -A POSTROUTING -p tcp -d 10.10.20.121/24 --dport 3389
4) As a result, I want to knock on the white ip address of the machine on port 19999 and get RDP on 10.10.20.121
5) did /etc/sysconfig/firewall.sh && service iptables save && systemctl restart iptables
6) Get iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
7) See in /etc/sysconfig/iptables the line with the contents -A PREROUTING policy -s 89.189.172.47/32 -p tcp -m tcp --dport 19999 -j DNAT --to-destination 10.10.20.121:3389
IIiii... Everything. To connect to the correct address fails:( I understand that allow for some incredibly stupid mistake, but the whole day meditating on firewall.sh and can't understand what the problem is. I would be very grateful if you could point what am I doing wrong?
In advance, thank you very much.
March 23rd 20 at 18:53
2 answers
March 23rd 20 at 18:55
Solution
1. I hope you don't lit up a real direct ip, the people sitting here is definitely good, but there are those who are not good at all
2. here's a good article, but it is better to understand with iptables https://serveradmin.ru/nastroyka-iptables-v-centos-7/
March 23rd 20 at 18:57
And you have in the system is allowed to forward packages? And Centos 6 or 7?

sysctl net.ipv4.ip_forward what gives?
Good day.
[root@node1 ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

[root@node1 ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.2.1511 (Core)
Release: 7.2.1511
Codename: Core - aidan.Cass commented on March 23rd 20 at 19:00
If in /etc/sysconfig/iptables you only see one line, it turns out, you have this is the only iptables rule. Then there must be only one row in firewall.sh. The second command is generally a mistake to issue, so its probably not in /etc/sysconfig/iptables.

iptables-t nat -A PREROUTING policy -i eth1 -p tcp --dport 19999 -j DNAT --to-destination 10.10.20.121:3389

you need to replace eth1 with the name of your network interface, which looks in the Internet. - clarabelle commented on March 23rd 20 at 19:03

Find more questions by tags CentOSFirewallIptables