I am trying to block SSH Access to my server and only allow 192.168.0.0/24 subnet.

But for some reason, it isn't working quite right. Any machines from 192.168.1.0/24 can access.

I've already tried "iptables -A C-RULES -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT" which should only accept ssh connections from 192.168.0.* subnet.

Can someone tell me what's wrong with my firewall rules? I'm using RHEL5.5

Here is my /etc/sysconfig/iptables:

[root@ws5 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Wed Nov 10 23:25:10 2010
*filter
:INPUT ACCEPT [100:8477]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [98:8676]
:C-RULES - [0:0]
-A C-RULES -i lo -j ACCEPT
-A C-RULES -p icmp -j ACCEPT
-A C-RULES -p tcp -m tcp --dport 631 -j ACCEPT
-A C-RULES -p udp -m udp --dport 631 -j ACCEPT
-A C-RULES -m state --state RELATED,ESTABLISHED -j ACCEPT
-A C-RULES -p tcp -m tcp --dport 22 -s 192.168.1.0/24 -j REJECT
-A C-RULES -j LOG
-A C-RULES -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Nov 10 23:25:10 2010

Can you post your currently active configuration? Like this:It seems as if though you aren't sending the packets into the chain you built, in which case the solution would be something like:...but let's see what you've got first.

you forgot to send packet to c-rules table.

Thanks much win32sux and kaushalpatel1982.

My iptables rule is working now.

I normally use the INPUT chain so I never had to send it to a new chain. Since this rule is used on a new subnet, I did not know that we need to send the packets to the new chain.