It sounds like you basically want to forward port 3389/TCP. That would go something like:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN_IFACE -o $LAN_IFACE --dport 3389 \
-d 192.168.1.111 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 3389 -j DNAT \
--to-destination 192.168.1.111
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
For a touch of security, I recommend you also specify the support person's public IP address so that only that IP is given access, like:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN_IFACE -o $LAN_IFACE --dport 3389 \
-d 192.168.1.111 -s 243.34.87.228 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 3389 -j DNAT \
--to-destination 192.168.1.111
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE