1 line in your firewall script will get you the protection you want
(assuming you're using iptables and that your default policy is DROP):
iptables -t filter -A INPUT -p tcp -s <your_subnet> --dport 23 \
-i <your_LAN_interface> -j ACCEPT
Example:
iptables -t filter -A INPUT -p tcp -s 192.168.1.0/24 --dport 23 \
-i eth0 -j ACCEPT
Don't know what the ipchains equivalent would be.