I'd like to do some form of allowing just a couple of hosts to connect to the SSH port, etc for instance. The ones connecting are dialup users with a dynamic ip address.

When you set up iptables like

iptables -A INPUT -s example.host.com/32 ...

it will look up that ip address and "hard code" it into the file. is it possible to refresh the ip address when a connection to that port arrives (using a dyndns service for instance)?

I am putting this one line in hints and tricks in general as well, 'cause I see there is quite demand on it
where EXTIF represents the external interface on which you obtain your dynamic IP, so it might differ, i.e. for ADSL connections using PPPoE it is ppp0, etc.

well that wasn't really my question, maybe it was not well described, again:

there is a server with a very strict set of iptables rules on it, I'd like to open up a posibility to do some SSH connections for instance for people who do not have physical access to the server, like if they are working at another location. those people who should be able to get on the server are on dialup accounts though, so they have a dynamic ip address!

is there somekind of workaround like with a dyndns service that they get assigned a hostname like example.dyndns.org and then netfilter checks that on connection. as far as setting up iptables with iptables -A INPUT -s example.dyndns.org/32 ... the ip address will be looked up and saved, later like when the ip address changed (like when they re-dial their ISP) they won't be able to connect!

any solutions?

Oh, I am sorry I misread it, you need a source IP, hmmm...

I think dyndns takes about 30 mins to propagate changes so that may be too long to be workable if you're doing production or sorts. I can imagine two roads to walk, one is opening up the closest range you can track 'em clients on, the other is having some sort of notification from them to you.

Anyway, a dropper/notification app seems more creative to me... Could be anything ranging from updating their IP automagically by being able to login over SSL first, shooting off a packet at a predefined port to trigger a Snort rule/Portsentry cmd to simply mailing their IP (GPG signed?) when they get online. Filtering restrictions can be easier if you know for instance there's only one slot per range, so after login you can block the rest of the range *and* drop the range in hosts.deny. Also look into setting up sshd to have an Allow for names and/or groups.

Just my thoughts.

I have my sshd listening on a non-standard port, one which has never been scanned, and will only accept connections from hosts which I have given my RSA key to, which changes periodically.
Works great for dynamic ssh clients.

Every connection is logged & so far no-one who shouldn't be there has visited.

Regards,
Peter

Excellent stuff - exactly what I needed, had been mucking about with grep trying to get this working and kept getting stuck

Cheers

Adjman