filter->forward rules if I already have nat->dst_nat?

I have two public IP’s on different carriers and several servers behind my MT router. I have many dst-nat rules for various combinations of (public IP,public port, server private IP, server port). Mangle rules insure that traffic goes out from the public IP on which it entered. Src-nat rules allow the servers to originate outbound traffic.

All of the above works just fine.

Question: For security purposes, should I also create filter->forward->accept rules to match the dst-nat rules, and
add a filter->forward->drop rule to discard new connections that I don’t want to reach inside my network?

It seems to me that if I don’t have a dst-nat rule for a particular (external IP,port) combination, it’s going to
be dropped anyway, so why drop it explicitly with a filter rule?

In fact, will packets even hit the filter->forward chain if they don’t match a dst-nat rule? If they don’t, why would I ever want a filter->forward->drop rule?

In case you’re wondering, I do have quite a few filter->input rules to only accept router-bound traffic that I want. Other input chain packets are dropped. My question is regarding the need to filter forward-chain packets.

Thanks in advance for all of the wise and thoughtful advice I’m sure I’ll see.

Yes, you should filter in the forward chain. You should do so because NAT is not a firewall. It is possible to maliciously craft packets that bypass NAT. There’s also source routing, which hopefully is blocked by your ISP, but might not be. Additionally you might not trust the ISP, where anyone would be able to insert a route to your private LAN IP space via your WAN IP. The same could be done by anyone on the directly connected WAN network, if you’re on a shared network.

Hi! There’s a question, regarding this topic.

I have a lot of dst-nat rules (different ports on public IPs are mapped to hosts in LAN).

Is there any way to filter them in firewall forward chain with less rules?
I want to allow NATed traffic and drop malicious packets to internal IPs from WAN interfaces.

The only method I could imagine is to mark packets during prerouting with dst-addr=my-lan on WAN interfaces before any dst-nat rules are applied and then drop them in forward-chain.
Any better ideas?