I couldn't find a nice way to implement this. Maybe I'm missing something.
Let's say I have a router with two interfaces, ether1 and ether2.
I want to block ssh (tcp/22) traffic to the router itself when that traffic comes through ether1.
I have setup a filter, in the input chain, which says that traffic with protocol TCP, port 22 and In interface ether1 should be dropped. Great, but...
if somebody comes in through ether1 but tries to ssh into the router using the IP address of ether2, then he is not blocked.
I'm assuming this is because the router first has to "route" the packet internally, only then to realize that the packet is for the router itself, but because of that, I would need to make a rule in the forward chain also.
But that kinda sucks for me, because in my real use case, I have a lot more interfaces, so I'd have to basically add rules in order to block traffic for each and every IP address the router owns on its interfaces.
Is there an easier way to simply tell the router that if traffic comes in from interface X and is for you, no matter the IP address used as destination) then drop it ?