Iptables, Cisco 677, DNAT

My setup:
Cisco 677 DSL Router (int ip=10.100.1.1), connected to my firewall
(Shorewall), server z behind firewall need ext port 3000 access.

This is what I have done:
a. On 677 : set nat entry add 10.100.1.4 3000 [public-ip] 3000 tcp
{This works fine as far as I can see. The 677 is doing NAT and packets
from Inet is sent to port 3000 on ext in (eth1) on fw}
b. On fw (eth1=10.100.1.4)(eth0=192.168.0.6), I have done DNAT from
net, to local, port 3000, 192.168.0.10 {As u can see I want all dport
traffic 3000 to go to 192.168.0.10}

The problem:
This is the log-entry:
Aug 10 13:41:15 fw-2 kernel: Shorewall:logdropROP:IN=eth1 OUT=
MAC=00:10:4b:6c:a0:6f:00:02:fd:02:96:c9:08:00 SRC=195.229.241.228
DST=10.100.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=29417 PROTO=TCP
SPT=41578 DPT=3000 WINDOW=65535 RES=0x00 SYN URGP=0

As fair as I can determine, It does see the SRC address of the xternal
client that I am connecting from, and it wants to go to 10.100.1.4 . I
am pretty sure I am not doing the right thing here:
1) I cannot do different entry on 677 than 10.100.1.4, as this is the
interface it is connected to on the fw side?
2) Why is it giving the MAC address in OUT= ? {By the way this MAC
seems to be eth1) Does this mean that it is trying to go in & out on
10.100.1.4?
3) How should my DNAT entry then look, keeping in mind that the
traffic is dnatted from the 677?

Even if I come out the complete dork here, any pointers would be
appreciated!