iptables -N eth0toeth1;
iptables -P eth0toeth1 DROP;
iptables -A FORWARD -i eth0 -o eth1 -j eth0toeth1;
iptables -A eth0toeth1 -m tcp -p 80 -j ACCEPT;
# add any more rules
Or, as you say to avoid exponential combinations, just make a chain for each zone (interface) and explicitly allow specific protocols/ports to target interfaces. Zones with multiple interfaces are just multiple rules to jump to the same zone chain.
iptables -N eth0toeth1; iptables -P eth0toeth1 DROP; iptables -A FORWARD -i eth0 -o eth1 -j eth0toeth1; iptables -A eth0toeth1 -m tcp -p 80 -j ACCEPT; # add any more rules
Or, as you say to avoid exponential combinations, just make a chain for each zone (interface) and explicitly allow specific protocols/ports to target interfaces. Zones with multiple interfaces are just multiple rules to jump to the same zone chain.