diff --git a/roles/common/templates/00-base.conf.j2 b/roles/common/templates/00-base.conf.j2
index 435e61da2872948d22132b3367ea85712f0b5d6e..c51f83a0dc979c4ff3eedc6d6a46d6c64b02c5a4 100644
--- a/roles/common/templates/00-base.conf.j2
+++ b/roles/common/templates/00-base.conf.j2
@@ -1,3 +1,4 @@
+#jinja2:trim_blocks:True,lstrip_blocks:True
 # IPv4
 domain ip {
     table filter {
@@ -15,8 +16,8 @@ domain ip {
             proto icmp icmp-type echo-request ACCEPT;
             proto tcp dport 22 ACCEPT;
 {% if maintenance %}
-            # Validate source IP against list of allowed hosts in maintenance mode.
-            jump allowed_hosts;
+            # Validate source IP against list of allowed source addresses in maintenance mode.
+            jump allowed_sources;
 {% endif %}
         }
 
@@ -37,11 +38,12 @@ domain ip {
             }
         }
 {% if maintenance %}
-        # Resume processing in case of allowed hosts, drop packets for
-        # any other hosts.
-        chain allowed_hosts {
-            {% for host in maintenance_allowed_hosts %}
-            saddr {{ host }} RETURN;
+        # Resume processing for allowed source addresses, otherwise drop packets.
+        chain allowed_sources {
+            {% for source in maintenance_allowed_sources %}
+                {% if source | ipv4 %}
+            saddr {{ source }} RETURN;
+                {% endif %}
             {% endfor %}
             DROP;
         }
@@ -70,8 +72,8 @@ domain ip6 {
             proto icmp icmp-type echo-request ACCEPT;
             proto tcp dport 22 ACCEPT;
 {% if maintenance %}
-            # Validate source IP against list of allowed hosts in maintenance mode.
-            jump allowed_hosts;
+            # Validate source IP against list of allowed source addresses in maintenance mode.
+            jump allowed_sources;
 {% endif %}
         }
 
@@ -92,12 +94,11 @@ domain ip6 {
             }
         }
 {% if maintenance %}
-        # Resume processing in case of allowed hosts, drop packets for
-        # any other hosts.
-        chain allowed_hosts {
-            {% for host in maintenance_allowed_hosts %}
-                {% if lookup('dig', host + '/AAAA') not in ['NXDOMAIN', ''] %}
-            saddr {{ host }} RETURN;
+        # Resume processing for allowed source addresses, otherwise drop packets.
+        chain allowed_sources {
+            {% for source in maintenance_allowed_sources %}
+                {% if source | ipv6 %}
+            saddr {{ source }} RETURN;
                 {% endif %}
             {% endfor %}
             DROP;