AllowGroups and Match Address for SSH

Maybe pam_access would be a better way to do this?

eg: in /etc/security/access.conf, do lines like:

    + : root : 192.168.0.
    + : localonlygroup : 192.168.0.
    + : remoteuser: ALL
    - : ALL : ALL

Then make sure /etc/pam.d/sshd, around where there's probably a line like:

    account    required     pam_nologin.so

add another line like:

    account    required     pam_access.so

It is possible to achieve exactly what you are trying!

One solution is to run two different sshd instances, one for external facing users and one for internal users. With some clever use of the iptables REDIRECT target, you can continue to allow people to connect to sshd on port 22, but depending on where they're coming from they'll get the appropriate instance. Something like:

# Connect inside users to "inside" sshd.
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 22 -j REDIRECT --to-ports 2200

# Connect out*emphasized text*side users to "outside" sshd.
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 22 -j REDIRECT --to-ports 2201

This presumes you have the inside sshd listening on port 2200 and the outside sshd listening on port 2201, and that each one is using an appropriately configured sshd_config file. Note also that for this to work you'll need:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 2200 -j ACCEPT
iptables -A INPUT -p tcp --dport 2201 -j ACCEPT

We do exactly this for some of our interactive login hosts and it works nicely.