iptables encaminham porta da rede ext para o int

Eu tenho 2 endereços IP no iface eth0:

eth0      Link encap:Ethernet  HWaddr 00:19:99:a4:14:08  
          inet addr:85.25.152.115  Bcast:85.25.152.255  Mask:255.255.255.0
          inet6 addr: fe80::219:99ff:fea4:1408/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:233866 errors:0 dropped:0 overruns:0 frame:0
          TX packets:145186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:175800889 (167.6 MiB)  TX bytes:38033903 (36.2 MiB)
          Interrupt:18 

eth0:1    Link encap:Ethernet  HWaddr 00:19:99:a4:14:08  
          inet addr:85.25.248.216  Bcast:85.25.248.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:18 

e eu tenho um iface virtual interno para o convidado do virtualbox:

tap0      Link encap:Ethernet  HWaddr ae:ba:ce:d7:7d:bd  
          inet addr:10.0.1.1  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::acba:ceff:fed7:7dbd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:111 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

10.0.1.1 é GW para a VM (10.0.1.2). O encaminhamento de 10.0.1.2 para a internet funciona perfeitamente, mas quando estou tentando redirecionar todas as portas de 85.25.248.216 (eth0: 1) para o 10.0.1.2 ele falha:

iptables -t nat -A PREROUTING -d 85.25.248.216 -j DNAT --to-destination 10.0.1.2
nmap -A -v 85.25.248.216
<...>
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.8p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 1024 4e:3e:ce:86:24:f8:54:7a:68:67:be:57:92:62:00:f0 (DSA)
|_2048 36:f5:0d:4c:1b:58:b8:f9:ff:0f:47:ba:88:43:69:bd (RSA)
10000/tcp open  http    MiniServ 1.540 (Webmin httpd)
|_html-title: Site doesn't have a title (text/html).
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 - 2.6.31

india827:~# iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             static-ip-85-25-248-216.inaddr.intergenia.de to:10.0.1.2 
DNAT       tcp  --  anywhere             static-ip-85-25-248-216.inaddr.intergenia.de tcp dpt:3389 to:10.0.1.2 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             static-ip-85-25-248-216.inaddr.intergenia.de to:10.0.1.2 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
SNAT       all  --  anywhere             anywhere            to:85.25.248.216 

A VM está no Windows, e deve haver, pelo menos, 3389 (RDP) aberta, mas eu (é claro!) não consigo me conectar a ela também. Onde está o erro?

Novas regras:

iptables -t nat -A PREROUTING -d 85.25.248.216 -j DNAT --to-destination 10.0.1.2
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -d 10.0.1.2 -j ACCEPT

O resultado é o mesmo ...