Paul - you've posted your solutions but not the problem you're trying
to solve. Are you trying to open up a port-forward from a particular
IP address, based on whether that IP address has an SSH connection to
your machine? If so, yes, you can do that:
. When your user logs in to your machine, have their login script
. set up the iptables rule to permit the port forwarding; or, have
. them execute something that has the same effect.
The real trick is getting the rule to go away again when the user logs
out or the connection drops. Depending on how important this is, you
can use some combination of a nested shell, a logout profile, or a CRON
job that looks for this user being logged in and removes the iptables
rule when no login is found or when the user's idle time goes above
some number.