Systemd includes a feature to restrict which IP addresses can communicate with a service. The neat thing is that these rules operate independently of any iptables configuration, providing an extra layer of security.
Restricting SSH to a local subnet
As an example, let's restrict sshd to the 192.168.1.0/24 subnet. Run systemctl edit sshd.service and add the following.
[Service]
IPAccounting=yes
IPAddressDeny=0.0.0.0/0
IPAddressAllow=192.168.1.0/24
Then run systemctl daemon-reload; systemctl restart sshd