With physical interfaces only, all works well. When a try to filter traffic between 2 LANs attached to the same physical interface but with 2 different virtual IPs, it starts messing. Nothing works, I can't even log packets.
Netfilter does not know about virtual interfaces. Use physical interface names in combination with source and/or destination addresses (for example "-i eth0 -s 192.168.0.0/24").
From security side, you are not gaining anything by filtering between two virutal interfaces on the same wire -- stations on those two networks can talk to each other directly anyhow. If you haven't disabled ICMP redirects, you'll see that Linux kernel is sending out ICMP redirects telling 192.168.0.1 that 192.168.1.1 is on the same wire and to talk to it directly.
