[SOLVED] Proxmox firewall refusing to single ban IP's over 80/443

[Skyrider]

Here's my pveversion:

proxmox-ve: 7.2-1 (running kernel: 5.15.39-4-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-9
pve-kernel-helper: 7.2-9
pve-kernel-5.15.39-4-pve: 5.15.39-4
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.30-2-pve: 5.15.30-3
ceph-fuse: 15.2.16-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-8
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1

So here's my problem. With tons of issues with firewall rules on single IP's, I've decided to install nginx as a reverse proxy on the main host node. I've rejected my mobile data IP which can be seen through iptables:

-A PVEFW-HOST-IN -s 89.205.139.161/32 -p tcp -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:5:PVEFW-HOST-IN: REJECT: "
-A PVEFW-HOST-IN -s 89.205.139.161/32 -p tcp -j PVEFW-reject

Now while 80/443 traffic goes through the main node/host towards containers where the web content is located, the firewall rules should still be in effect. As far as I know, all IP's goes through the node first. Yet this doesn't appear to be working. My mobile data IP address can still access the websites without being rejected. And yes, the firewall on datacenter/node and container are on.

If I remove 80/443 from being accepted on the node, all traffic is being blocked.. So that is working.. Just I can't seem to reject single IP's. Any idea as to why?

EDIT
Gotta love cloudflare for screwing up my plans.. My apologies.. behind the cloudflare DNS won't really make iptables work.