Ok, your statement applies for the IP filter No. 3 (the RDP connection). But for the IP filter No. 2 (the SSH one) this doesn't apply.
In fact, being a connection to the router, it seems I don't need any NAT rule, as the router seems to listen on port 22 on all its IP addresses (be it internal or external).
So for port 22 connectivity I only need rule No. 2 in the INPUT chain, and no rule in NAT.
That's correct. No need to nat anything because packets to router ip's will be passed through input filter. You can specify which networks/Ip's each service is available from in Winbox IP/Services menu.
You were saying that I don't have any rule in forward chain to drop packets. There is one default rule to drop connections with "invalid" state.
/ip firewall filter
add action=drop chain=forward comment="Drop forwarded invalid connections" connection-state=invalid
Were you talking about this one from above, or you meant that I should have something like this below, placed after all rules in forward chain?
/ip firewall filter
add action=drop chain=forward
TCP comunications must go through some given steps. If some connection do not follow them for any reason, it becomes an "invalid" connection. But, you are trying to "block any connection not specifically allowed before, even if they are
valid connections". For that, you need to put a last forward rule as you said:
/ip firewall filter add action=drop chain=forward
Make sure this is the last rule!!
Regards