I have forwarded some ports from an internet facing machine to my home server using the NAT table and PREROUTING chain in iptables. The NAT destination IP is on my OpenVPN VPN.
I want to protect against DDoS and have found some iptables rules that among other things limit the number of connections per IP or over time but they need to be appended to the INPUT chain.
If a packet hits my public machine on a forwarded port, will iptables rules on the INPUT chain (MANGLE table) be applied since the target is that same machine and the packet is then handed to a process running locally (OpenVPN)? Or do I need to append those rules on my home server?