iptables

Why is the port not being forwarded?

Good day to all.
I inherited a server with KVM and configured iptables.
I confess honestly, I actively delve into this matter, but unfortunately the holes in knowledge are still patched and patched. And how evil fell the task that needs to be done quickly.
The point is the following.
1) I made a virtual machine with Windows2016 with the address 10.10.20.121
2) I installed a terminal server on it, tried it from the local network, everything works and connects.
3) We have a firewall.sh file there, in which I added the lines
iptables -t nat -A PREROUTING -p tcp --dport 19999 -s 89.189.172.47 -j DNAT --to-destination 10.10.20.121:3389
iptables - t nat -A POSTROUTING -p tcp -d 10.10.20.121/24 --dport 3389
4) As a result, I want to knock on the white ip address of the machine on port 19999 and get RDP on 10.10.20.121
5) I did /etc/sysconfig/firewall.sh && service iptables save && systemctl restart iptables
6) I get iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
7) I watch /etc/sysconfig/iptables line containing -A PREROUTING -s 89.189.172.47/32 -p tcp -m tcp --dport 19999 -j DNAT -- to-destination 10.10.20.121:3389
Eeeee... Everything. I can't connect to the correct address :( I know I'm making some incredibly stupid mistake, but I've been meditating on firewall.sh all day and I can't figure out what the problem is. I would be extremely grateful if you could point your finger at what I'm doing wrong?
Thank you very much in advance.