Although, I'm still not sure why you logically consider and separate this differently...it's not like the machine magically becomes a different machine because it has another IP. I can only imagine that you're trying to isolate a service on the router from the private VLAN - other than the web GUI... otherwise, I don't understand the effort; but yes, @trendy's rule will work to only allow access to the preferred DST IP. Please note, some users have subsequently locked themselves out of configuring their router by adding such rules.
I will admit the INPUT thing somewhat baffled me when I first learned iptables.
The web GUI is not the only service needed for a LAN usually (i.e. DHCP, DNS, NTP).
I wouldn't recommend it for the lan zone. You might get locked out.
This is the zone name, not the interface name. You are also not using ports or protocols, so this rule is basically reverting the drop on input policy. Yes, it will be limiting the input to just the interface IP, in case you are running multiple instances of the same server.
The paradigm you are trying to implement doesn't work well for OpenWrt.
There are protocols like DHCP which cannot work properly if you limit the destination address scope in the firewall rule and restrict everything else.
Moreover, using interface/socket binding is unreliable due to possible race conditions which procd has no means to resolve.
Now I can't access Luci's uhttpd from any zone but private anymore, but I can still access the mosquitto service on the router whereever mosquitto is listening on the zone's IP address of the router, plus any other service the router might offer on those IP addresses (DHCP, DNS, ...):
The service may fail to start if the interface is not ready.
Restarting the interface can make the service inoperable.
Among the affected services are Dropbear, uHTTPd and others.