I need to block ip address using iptables in my router. In my router I'm forwarding port 22 to my computer. If I use iptables -A INPUT -s xx.xx.xx.xx -j DROP then I'm still able to ssh to my computer. What's the proper iptable to block IP in my router even when it's forwarding to my computer?

Answer to my own question.

If there are other better methods please let me know

Hello Almaz,

Are you setting the rules in the router or in your computer ?

Router

I have found this link to be a valuable resource to iptables:
https://www.frozentux.net/documents/iptables-tutorial/

As with all low level programs like this, there are multiple solutions to a problem. So I wouldn't say there's a better method then yours (You wanted to block a ip address and you blocked it - case solved)

However, do you want to be more specific? Should the source ip you blocked want to access its.. webserver it would also be blocked.

So perhaps this will limit only what you want to limit. However note that any other ips can still connect should your policy be set to accept. (If it's to drop, then both this and yours are irrevelvant.)

REJECT just means it says something along the lines of "Connection Refused". If you want to be stealthy, change to drop.
--dport means destination port, -p refers to a specific protocol.

Just so you understand what you've just done: the reason why you needed to use the FORWARD chain and not the INPUT chain was that INPUT refers to the packets the destination of which is the router itself, packets that are filtered by the kernel. Whereas packets not destined for the router itself (if you don't specify it otherwise) and are assigned to a different route by the router go directly through the FORWARD chain and then outside towards their destination. So it's PREROUTING - FORWARD - POSTROUTING - it skips the INPUT chain altogether, so therefore it's a more efficient way to use resources.

You should really take a look at some iptables schemes and documentation.