what i notice is that you are sending the output to eth0 if you have this box set up as a router, it'd actually be going out eth1 try that and in adition add -j DNAT --to aaa.bbb.ccc:25 don't need -destination