Pokotilenko Kostik wrote :
When the client disconnects, the rules are deleted and new connection are being rejected. But the problem is that existant DNAT'ed connection are continue to operate.
That's the normal behaviour of NAT.
That has raised a question: How to kill DNAT'ed connection?
Just like any other connection : with DROP or REJECT.