Currently you have the following rule:
Code:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
as rule number 2 in the input chain. The rule allows SSH from everywhere, however, you want to restrict this to one specific IP. First off, you should delete the original rule:
iptables -D INPUT 3
Then you need to construct a new rule to do what you want. You can do this with:
iptables -A INPUT -p tcp -s YOUR.REMOTE.IP.ADDR --dport 22 -j ACCEPT
Here's a brief explanation (see the man page for more info):
-A INPUT is to append (-A) a rule to the INPUT chain
-p tcp says that the rule applies only to TCP packets (SSH runs over TCP)
-s YOUR.REMOTE.IP.ADDR says that the source (-s) must match your remote IP for this to apply (obviously, you need to replace YOUR.REMOTE.IP.ADDR with the actual address you want to use).
--dport 22 says that the destination TCP port must be 22 for the rule to match(this is the port SSH uses by default)
Finally -j ACCEPT specifies that if the three criteria (TCP, from YOUR.REMOTE.IP.ADDR, and going to port 22) all match then the packet should be accepted.
Note: This assumes that the chains default policy is DROP (it appears to be ACCEPT in your post) so that packets that don't match any rule are dropped. The alternative to this is setting up some rule later down the chain that actually drops the unwanted packets (if you're unsure of whether you have this right, post the full output of "iptables -L" so we can help you).
Warning 1: It's not wise to tinker with firewall settings for SSH when your shell is connected via SSH, for obvious reasons. You can easily lock yourself out if you're not careful, necessitating a trip to the machine's physical location so you can fix the rule from the console (I've done this more times than I care to admit).
Warning 2: Linux distros generally load the iptables rules from a config file on boot since the kernel has no way of preserving them between reboots (some distros have a script that does it automatically). What I like to do is make a little script with my iptables set up and then run it from /etc/rc.local so it starts at boot (it's probably better to run it slightly earlier after networking has started but before any services so there's no gap between when services start and firewall rules are applied, however running it out of rc.local should be fine for all but the truly, truly paranoid).