If one of the interfaces connects to the public Internet, it should have a firewall with an INPUT DROP policy to block all incoming connections. Then you can add individual rules to open specific ports.
The first rule blocks everything by default. The second rule allows SSH connections that arrive on eth1. You might also want to consider whether to block forwarding by default (if you permit forwarding in /etc/sysctl.conf) and only allow packets to be forwarded in specific circumstances. See "man iptables" for details.
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT