You need it for chain=forward … and connection-state at least “established,related” … untracked most often doesn’t hurt (but doesn’t help in your particular case either). But most definitely not “new”, you’re trying to block new connections by using your rules. And push this new rule high on the list of rules for chain=forward, definitely above the rules which will selectively block traffic between both subnets.