I have a dst-nat forwarding one port to an internal pc.
In the filter, input chain, if it is blocked, it still goes through.
I know nat happens before input filter, but shouldn’t it still get blocked? The port doesn’t change, only the dst ip, and the input filter goes by the port.
No, you’re confused in regard to the chains. Destination NAT happens right after prerouting. After destination NAT on an incoming packet the router looks at the destination IP address in the packet header and decides whether the packet will get put into the input chain (destination IP is assigned to a router interface) or the forward chain (destination IP address is behind a router interface). Your dst-nat rule changes the IP address to one belonging to a PC connected through the router, so the packet will be in the forward chain and not the input chain. It will also have been in the prerouting chain, but at that point it doesn’t have its final destination IP yet. You could still make filter decisions in that chain - but be aware of what the destination IP is that at point.
Ok, that makes sense then. DNAT changes the dest ip to a non-router-interface ip, so it never goes through the input chain at all.
Thank you for the clarification!