Traffic to router itself goes in chain=input. Traffic through router (both outgoing and incoming, forwarded ports included) goes in chain=forward.
I don't know what you have now, but simple firewall that only allows access from internet to forwarded ports can look like this:
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input protocol=icmp
add action=drop chain=input