Having a dynamic IP address sucks. I always lock down my servers and allow SSH access only from trusted sources. Since I have a dynamic IP address, I need to automatically have my IP Tables rules updated everytime my IP address changes.
I use No-IP for my dynamic DNS hostname, you can use any service you like (you can even cook up your own dynamic dns client that utilizes your DNS provider's API, just make sure it points to your IP address all the time).
I have my IP Tables set up like this:
# SSH Chain iptables -N SSH # Create the SSH chain iptables -A INPUT -p tcp -m tcp --dport 22 -j SSH # Jump to the SSH chain on connection to port 22/tcp iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP # If it doesn't match the SSH chain, DROP the packet. # DYNAMIC Chain iptables -N DYNAMIC # Create the DYNAMIC chain iptables -A SSH -j DYNAMIC # Jump from the SSH chain to the DYNAMIC chain
I have also created a bash script that updates the DYNAMIC chain every minute:
#!/bin/bash iptables -F DYNAMIC # Flush the DYNAMIC chain iptables -A DYNAMIC -s my-dynamic-dns-hostname.com -j ACCEPT # Accept packets from my-dynamic-dns-hostname.com
I saved it in /root/dyndns.sh and added it to crontab as a cronjob that runs every minute (* * * * *).