The easiest way to accomplish what you are trying to do is to use fwknopd. I use fwknopd to open ssh service on-demand when I need it and only for my client host IP. By default, I have firewall rule to deny ssh from all IPs. When I need to ssh into my server, I use fwknop client to open ssh port (actually I use a non-standard ssh port to keep script kiddies away) and stay open for a short time (you can configure to stay open whatever time duration you want) which allows me to ssh into my server. fwknopd will close the port after the configured time expires but you can continue to have ssh session for as long as you like.
fwknopd - Firewall Knock Operator Daemon
Here is how it works.
Server side (before)
root@gorilla:~# iptables -n --list |grep 8.8.8.8
Client side (note: 8.8.8.8 is an example for my client host IP)
arul@cheetah$ fwknop -A tcp/22 -a 8.8.8.8 -D <my_servers_public_ip>
Enter encryption key:
Server side (after)
root@gorilla:~# cat /var/log/syslog|grep 8.8.8.8
Feb 4 09:28:36 gorilla fwknopd[1191]: Added Rule to FWKNOP_INPUT for 8.8.8.8, tcp/22 expires at 1486222476
root@gorilla:~# iptables -n --list |grep 8.8.8.8
ACCEPT tcp -- 8.8.8.8 0.0.0.0/0 tcp dpt:22 /* _exp_1486222476 */
Note:
You have to open UDP port 62201 for fwknop client to talk to fwknopd.