diff --git a/deployment/puppet/fuel/examples/host.pp b/deployment/puppet/fuel/examples/host.pp
index d6249b29b3..127a39947d 100644
--- a/deployment/puppet/fuel/examples/host.pp
+++ b/deployment/puppet/fuel/examples/host.pp
@@ -127,13 +127,14 @@ class { 'osnailyfacter::atop': }
 
 class { 'osnailyfacter::ssh':
   password_auth  => 'yes',
-  listen_address => [$::fuel_settings['ADMIN_NETWORK']['ipaddress']],
+  listen_address => ['0.0.0.0'],
 }
 
 class { 'fuel::iptables':
-  admin_iface => $::fuel_settings['ADMIN_NETWORK']['interface'],
+  admin_iface     => $::fuel_settings['ADMIN_NETWORK']['interface'],
+  ssh_network     => $::fuel_settings['ADMIN_NETWORK']['ssh_network'],
   network_address => ipcalc_network_by_address_netmask($::fuel_settings['ADMIN_NETWORK']['ipaddress'],$::fuel_settings['ADMIN_NETWORK']['netmask']),
-  network_cidr => ipcalc_network_cidr_by_netmask($::fuel_settings['ADMIN_NETWORK']['netmask']),
+  network_cidr    => ipcalc_network_cidr_by_netmask($::fuel_settings['ADMIN_NETWORK']['netmask']),
 }
 
 # FIXME(kozhukalov): this should be a part of repo management tool
diff --git a/deployment/puppet/fuel/manifests/iptables.pp b/deployment/puppet/fuel/manifests/iptables.pp
index 034fdf1ac8..e7aeb1e687 100644
--- a/deployment/puppet/fuel/manifests/iptables.pp
+++ b/deployment/puppet/fuel/manifests/iptables.pp
@@ -4,6 +4,7 @@ class fuel::iptables (
 
   $admin_iface           = $::fuel::params::admin_interface,
   $ssh_port              = '22',
+  $ssh_network           = '0.0.0.0/0',
   $nailgun_web_port      = $::fuel::params::nailgun_port,
   $nailgun_internal_port = $::fuel::params::nailgun_internal_port,
   $nailgun_repo_port     = $::fuel::params::repo_port,
@@ -43,6 +44,7 @@ class fuel::iptables (
   firewall { '005 ssh':
     port    => $ssh_port,
     proto   => 'tcp',
+    source  => $ssh_network,
     action  => 'accept',
   }
 
diff --git a/tests/noop/spec/hosts/master/host_spec.rb b/tests/noop/spec/hosts/master/host_spec.rb
index b73f5be246..3b2e8c09d1 100644
--- a/tests/noop/spec/hosts/master/host_spec.rb
+++ b/tests/noop/spec/hosts/master/host_spec.rb
@@ -57,8 +57,8 @@ describe manifest do
 
     it 'should declare "osnailyfacter::ssh" class with correct parameters' do
       parameters = {
-          :password_auth => 'yes',
-          :listen_address => [fuel_settings['ADMIN_NETWORK']['ipaddress']],
+          :password_auth  => 'yes',
+          :listen_address => ['0.0.0.0'],
       }
       is_expected.to contain_class('osnailyfacter::ssh').with parameters
     end
@@ -66,6 +66,7 @@ describe manifest do
     it 'should declare "fuel::iptables" class with correct parameters' do
       parameters = {
         :admin_iface => fuel_settings['ADMIN_NETWORK']['interface'],
+        :ssh_network => fuel_settings['ADMIN_NETWORK']['ssh_network'],
         :network_address => Noop.puppet_function(
             'ipcalc_network_by_address_netmask',
             fuel_settings['ADMIN_NETWORK']['ipaddress'],