фильтр с iptables входящего трафика от VPN

Я настроил VPN для частного поставщика услуг через OpenVPN.
Эта настройка использует VPN в качестве шлюза по умолчанию.
It all works fine but when I try to apply some basic iptables rules to filter traffic in and out the tunnel, I don't seem to be able to affect the inbound traffic. Outbound filtering appears to work fine though.

I suppose my iptables rules refer to tun12 which for output can be filtered happily but inbound I would only see the UDP traffic on port 1194 as it's still encrypted. I'm working with the FORWARD table at the moment.

How do I go applying iptables filtering inbound?

root@router# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOTHIS-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            state NEW
11323  780K DOTHIS-OUT all  --  *      tun12   0.0.0.0/0            0.0.0.0/0            state NEW

NOTE: this is happening only when I match status NEW. If I remove the match the iptables work fine.

root@router# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOTHIS-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            state NEW
6154K 8071M DOTHIS-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0

NOTE2: the tunnel is nat enabled

Thanks!