diff --git a/cookbooks/firewall/templates/default/iptables.erb b/cookbooks/firewall/templates/default/iptables.erb
index ce3f229..8cffd6e 100644
--- a/cookbooks/firewall/templates/default/iptables.erb
+++ b/cookbooks/firewall/templates/default/iptables.erb
@@ -18,8 +18,8 @@
 
 -A INPUT -i lo -j ACCEPT
 
-# Everybody need to accept SSH from reverseproxy
--A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT
+# Everybody need to accept SSH from integration
+-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
 <%= node['firewall'] %>
 <%= render 'iptables-filter.erb' %>
diff --git a/cookbooks/firewall/templates/host-integration/iptables-filter.erb b/cookbooks/firewall/templates/host-integration/iptables-filter.erb
index 2c9e5ea..d662a62 100644
--- a/cookbooks/firewall/templates/host-integration/iptables-filter.erb
+++ b/cookbooks/firewall/templates/host-integration/iptables-filter.erb
@@ -1,3 +1,6 @@
 
 # Allow HTTP access
 -A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
+
+# Allow SSH connections redirected from integration
+-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT
diff --git a/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb b/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
index 209abce..269f4f7 100644
--- a/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
+++ b/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
@@ -6,4 +6,4 @@
 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
 # Real SSH connection
--A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT
+-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT
--
libgit2 0.21.2