Come here.
Hide the RDP server... but how?

A task as a task, quite to itself. Apparently there are reasons to hide the fact that the target server is in the Russian Federation. It happens. There are such -
"...Where they look with tenderness
At foreign stickers...
And they eat bacon ... Russian!" (C) Mikhalkov S.V. Two friends.
To the sheep.
The task is reduced to the usual natu, which changes the destination IP from local to a remote one in a packet that arrives at port 3389 - after which the bucket of course sends this packet to the world to the default gateway.
Firstly, I recommend this scheme to everyone and everyone who has fallen into a blunt and does not know how a packet passes through netfilter. Print and hang at work.
Let's set the assumptions first.
Server IP = 212.20.5.1 (many, many years ago it was the IP of our server, it is really Russian :) )
VPS IP = 170.70.1.1 (taken from the ceiling)
The default policy for filter is ACCEPT (everything that is not prohibited is allowed A very dangerous policy, it's only for demonstration purposes, you can't do that in real life, I'm just reluctant to write additional rules for passing traffic)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

We perform NAT in the prerouting chain of the nat table (it goes before filter). The packet gets here right after mangle prerouting.

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp --dport 3389 -d 170.70.1.1 -j DNAT --to-destination 212.20.5.1

It reads "if a packet arrives via tcp protocol on port 3389 on IP 170.70.1.1, then apply the DNAT action, replacing the destination IP with 212.20.5.1. Place the rule in the prerouting chain."
Now what? And now, since we have changed the destination IP and it is no longer local, the bucket considers that the packet needs to be sent (routing decision in the diagram) - to the forward chain. First mangle forward, then filter forward (this is the main table, which is usually called a firewall, we skip everything in it).
Then mangle postrouting and nat postrouting. In nat postrouting we need to do some camouflage. In the packet, the destination IP is 212.20.5.1 - but the source IP is the IP from which the packet came to the VPS. We do not need this, both because the task is to hide it, and because when a packet hits 212.20.5.1, it will respond directly to this IP. Therefore, we do the following:

-A POSTROUTING -o eth0 -j SNAT --to-source 170.70.1.1

We read "if the packet leaves through the eth0 interface, then apply the SNAT action and replace the source IP with 170.70.1.1"
This is a standard NAT rule, it is always present if the VPS is NAT for anything.
All. The packet to 212.20.5.1 leaves IP 170.70.1.1, it replies by the source IP, the VPS sees that there was a NAT and sends the packet to where it came from.

Nikita, you're going the wrong way. The answer is in your first question.