From eth2, are you able to access the router at 172.16.1.1, or are you able to access devices in the 172.16.1.0/24 network ? Are different things, the access to the ip address 172.16.1.1 can be denied through an eth2_local ruleset (local direction), while to devices in the access to the 172.16.1.0/24 should be already denied, in case issue, on the router
sudo conntrack -F
And try again, for clarifications, take a look here.
Cheers,
jonatha