You have INPUT on the private network set to ACCEPT.
Because it's INPUT, not FORWARD. You even linked where I note this: