Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114
Dude - you really need to learn what you're doing if you're going to get this picky about stuff and not just expect people to do everything for you.
Then your forward chain can have a rule that says:
chain=forward src-address-list=LimitedClients" dst-address-list="ProtectedHosts" action=drop
Look at this rule: it only matches (and drops) traffic if it is FROM the LimitedHosts and going TO the ProtectedHosts. Packets that get accepted before they reach this rule will not be dropped... Okay - so if you want the ProtectedHosts to have access to the LimitedHosts, then what you do is you place the above rule AFTER a rule which allows established,related connections, and then your requirement will be met. This is because the initial packet from Protected->Limited will NOT match this drop rule. The reply from the Limited->Protected host will get accepted by the established,related rule before it can reach the drop rule, so that will work. If a Limited host tries to make a new connection to the Protected hosts, the first (SYN) packet will NOT be established or related state - it will be in NEW state, so the "accept established,related" rule will not accept the packet - it will continue down the chain until reaching this rule which says to drop the packet. Thus no new connection will ever reach the established state.