I've just moved my original answer down for future reference because I've noticed something else. You have set up an advanced Incoming Allow rule and not an advanced Port Forward. When you add a rule, change the drop down box from Incoming Allow to Port Forward.
Original answer for future reference
I think that looks OK. I tried specifying a single ports and a port range here and they both looked OK. You could try adding a logging rule:
iptables -t nat -I PREROUTING -s ! 220.127.116.11/20 -i ethX -p tcp --dport 25 -j LOG
Replace ethX with your WAN interface. or replace
If you do this rule at the command line it will survive until the firewall restarts. The firewall restarts for all sorts of reasons, one of which is if you change any firewall rule in the webconfig. To make it permanent add it to /etc/rc.d/rc.firewall.local as well as the command line. This will log to /var/log/messages among all the other messages there. There is a way to log to another file if necessary, but this should work for the short term.