Systemd includes a feature to restrict which IP addresses can communicate with a service. The neat thing is that these rules operate independently of any iptables configuration, providing an extra layer of security.
Restricting SSH to a local subnet
As an example, let's restrict
sshd to the
192.168.1.0/24 subnet. Run
systemctl edit sshd.service and add the following.
[Service] IPAccounting=yes IPAddressDeny=0.0.0.0/0 IPAddressAllow=192.168.1.0/24
systemctl daemon-reload; systemctl restart sshd