OK - here is the final version for me. I’ve been using this for the last week and all works A-OK.
This includes DNS and NTP redirects. I removed the port 853 redirects. All of the LOG statements are commented out. Uncomment them if you want to view.
Everything below is for GREEN only. Copy the line and change green0 to blue0 if needed.
Thank you to everyone above for your comments and guidance. I could not of done any of this without your posts! Y’all get 5 gold stars! 
Here is my current firewall.local. Make sure you look it over before using. Use this at your OWN RISK.
#!/bin/sh
# Used for private firewall rules
#
# Use this at your OWN RISK. It is not fully supported!
# https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
#
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#
#ACCEPT from the following machine
#iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -j ACCEPT
#iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -j ACCEPT
#
# Force DNS for green to query the firewall, and not an outside DNS server
# REDIRECT DNS port 53 to FW (and not an outside DNS server)
#iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
#iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
# REDIRECT NTP port 123 to FW (and not an outside NTP server)
#iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "NTPREDIRECT "
iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
;;
stop)
## add your 'stop' rules here
#
#ACCEPT from the following machine
#iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -j ACCEPT
#iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -j ACCEPT
#
#iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
#iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
#
#iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "NTPREDIRECT "
iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
flush)
iptables -t nat -F CUSTOMPREROUTING
;;
*)
echo "Usage: $0 {start|stop|reload|flush}"
;;
esac
EDIT: in the stop section added deletes for missing rules. D’oh!
EDIT2: I deleted the reload when doing the above edit. Ugh! Sorry!. Added reload section.