Need help with firewall setiings ...

RouterOS Beginner Basics
1

Cant understand how its works …
Need block all input connections except provided services listed below … but its not override block rule ..

/ip firewall filter
add chain=input comment="connection-state=established" connection-state=\
    established
add chain=input comment="connection-state=related" connection-state=related
add action=drop chain=forward comment="connection-state=invalid" \
    connection-state=invalid
add action=jump chain=forward in-interface=!wan1 jump-target=LAN-WAN \
    out-interface=wan1
add action=jump chain=forward in-interface=wan1 jump-target=WAN-LAN \
    out-interface=!wan1
add action=drop chain=WAN-LAN disabled=yes
add chain=LAN-WAN
add chain=WAN-LAN comment=IPTV protocol=igmp (IPTV)
add chain=input comment=FTP dst-port=21 protocol=tcp (NATED FTP)
add chain=input comment=ICMP protocol=icmp (PING)
add chain=input comment=HTTP dst-port=80,100,200-215,9443 protocol=tcp -WEB SERVICES IN NETWORK (NATED)
add chain=input comment=SSH dst-port=22-23 protocol=tcp (NATED SSH)
add chain=input comment="DAHUA webcam" dst-port=39999 protocol=tcp (NATEDD)
add chain=input comment=mySQL dst-port=3306 protocol=tcp (NATED)
add chain=input comment=TeamSpeak dst-port=10011 protocol=tcp (NATED)
add chain=forward comment=TeamSpeak dst-port=9987 protocol=udp (NATED)
add chain=input comment=VPN dst-port=1723 protocol=tcp (INPUT VPN Connection)
add chain=input protocol=gre
add action=drop chain=input comment=BOGON in-interface=wan1 src-address-list=\
    BOGON
add action=reject chain=forward comment="Managed VLAN protection" \
    in-interface=vlan100 out-interface=vlan777
add action=reject chain=forward comment="Managed VLAN protection" \
    in-interface=vlan500 out-interface=vlan777
add action=reject chain=forward comment="Managed VLAN protection" \
    in-interface=vlan400 out-interface=vlan777
add action=reject chain=forward comment="Managed VLAN protection" \
    in-interface=vlan300 out-interface=vlan777
add action=reject chain=forward comment="Managed VLAN protection" \
    in-interface=vlan200 out-interface=vlan777
add action=drop chain=forward comment="brute mysql" dst-address=\
    188.127.239.91 protocol=tcp src-port=3306
2

The INPUT chain is only for services that run on the Mikrotik itself. For ports that are forwarded using NAT, these connections go through the FORWARD chain. (even though it’s an IP address of the Mikrotik)