I need to get access to remote desktop (port 3389) on an xp machine which is behind a linux iptables firewall. The two rules I used:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 3389 -d 192.168.1.251 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.1.251:3389

and ip_forward is enabled
cat /proc/sys/net/ipv4/ip_forward
1

But I had no sucess. Can someone please help me.

Bellow I am sending iptables -vnL and iptables -t nat -vnL (to make everyhing easier the above stated two rules are the only ones I entered into iptables)

iptables -vnL
Chain INPUT (policy ACCEPT 111 packets, 10247 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 192.168.1.251 tcp dpt:3389

Chain OUTPUT (policy ACCEPT 115 packets, 9888 bytes)
pkts bytes target prot opt in out source destination

iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 4 packets, 634 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:192.168.1.251:3389

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Does the WinXP machine uses the Linux box as its default gateway?

Try this:

What's your default FORWARD policy? If its DROP, you will need a forward rules like so :

iptables -A FORWARD -j ACCEPT -p tcp --dport 3389
iptables -A FORWARD -j ACCEPT -p tcp --sport 3389

However, if you've implemented a state match forwarding rule ...

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

then you will only need the ---dport 3389 FORWARD and PREROUTING rules as SirGertrude mentioned. You can always run up tcpdump or tethereal on your ethernet adapters to see how the packets are flowing betwen interfaces if you get stuck.