Problem with firewall and SSH port forwarding

I'm trying to restrict access to my machine by restricting the IP
addresses from which outside ssh connections can be made.

I have successfully done this for normal ssh connections on port 22, I
have set up rules on my Speedtouch router that allow ssh access for
only a few specified IP addresses.

However I just can't seem to get an ssh connection which does port
forwarding to work.

If I allow ssh connections from anywhere the port forwarding works but
if I restrict connections (to what seem reasonable IP addresses) it
doesn't work.

The 'client' is trying to do the following:-

ssh -l chris -R 50022:apollo:22 -N 84.45.228.40

84.45.228.40 is the address of the Speedtouch router (on the WAN side,
i.e. the ADSL connection). There is a NAT mapping from WAN to LAN in
the router to connect across to the Linux server where the ssh daemon
is.

As I said I have got ordinary ssh working with the firewall such that
only connections from my 'preferred' IP addresses work. But I can't
get that port forwarding to work unless I open up the router to ssh
from any address.

The client machine is behind its own firewall, the IP address of the
machine itself is a private one, 10.10.10.2. Obviously there is some
sort of NAT going on at the client end as well and the connection
appears to come from a routed IP address. The environment on the
client machine shows:-

SSH_CLIENT=10.10.10.2 48910 22
SSH_CONNECTION=10.10.10.2 48910 10.10.10.2 22

I have opened up my firewall to 10.10.10.2 (though I suspect this is
pointless) and to the IP address that the client machine appears as on
the internet but no joy.

Has anyone any ideas what I need to do or whether it's even possible?



--
Chris Green
.