The first rule should allow the loopback interface to communicate with itself. Without it, the system cannot run. The second rule in the INPUT rule should allow all ESTABLISH and RELATED connections in. Otherwise your outgoing connections cannot return. Ping is good to allow, too. Then the fourth rule can then be the one you use to allow NEW tcp connections on port 22 from a specific address or range of addresses.
Here's what I would suggest. Note the -s for source address. Change that to the IPv4 address of the host you would like to allow incoming conections from.
Code: Select all
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow the courtesy of at least a ping
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p TCP -s 10.10.10.10 --dport 22 -m state --state NEW -m limit --limit 4/minute --limit-burst 5 -j ACCEPT
# Default policy can't use REJECT, so we add these at the end
iptables -A INPUT -j REJECT; # hack for changing default policy
I prefer to end the INPUT chain with a default REJECT target.
If that is too complex you might look at the manual page for sshd_config and see that you can restrict by source address there instead.