My setup
(intenret) === (R1 router) ==(net 10.0.0.0/24) == (R2 RB450) === (net bunch of 10.*.0.0/24)
I would like to block traffice to my private networks (10.*.0.0/24) entering wan of R2.
At R2 I intended to
I dont know how make one rule that will implement 1) specifically dont know how how to make “dst=private-nets and dst!=R2-ip-addres”
Why don’t you just permit the traffic to one address then deny remaining forwarding traffic? I don’t see any need for mangle rules on the basis of what you described so far.
Hmm… may be I am was not clear enough, let me restate the problem.
I want to block all packets incoming from internet (port wan) that have destination address of any private network (10.* 192.168.*). Clearly there should be no such packets routed around internet, but just in case there is one I want to block it.
This needs to be done early in prerouting as dstnat (port forward) will rewrite other legal packet to my network (e.g, src=1.x dst=2.x) dst address and such rewritten packet (src=1.x dst=10.x) in forward chain would be indistinguishable from rouge packet (e.g, src=1.x dst=10.x) entering wan.
Block such traffic in forwarding but earlier in the forward chain permit the paths necessary for the DST NATed traffic. In a firewall the default should be to deny traffic and only explicitly permitted traffic should be able to pass.
but earlier in the forward chain permit the paths necessary for the DST NATed traffic.
is there any way to do above with single rule ?
otherwise I have to add two rules for each port forward (dstnat and forward) 
Sure - you can simply allow traffic to a wider range of IPs/ports than each individual DST NAT needs in order to cover them all. That would not be recommended from a security perspective.
I am using this set of rules. Why do you not consider them optimal? I don’t see any dropping options during Prerouting.
specifically dont know how how to make “dst=private-nets and dst!=R2-ip-addres”
In general, mark one connection or packet with, say, “predrop” where dst=private-nets, then have the second rule act on connections or packets where mark is predrop, and finally mark them “drop”.