-
Why dont you use the MAC instead of hostname? (I realized hostname matching isnt gonna do much for an SSH packet, heh) easier to match on a per-packet basis. Something like:
iptables -A PREROUTING -m string --string 'y0:uR:MA:CA:dD:RR' -m tcp -p tcp --dport 22 -j ACCEPT
or something along those line...Then your IP woulndt matter, be nice with a laptop for sure.
-Maestr0
PS. Not sure if thats the right way to use --string, if you compile netfilter with that extension you can iptables -m string --help.
-
iptables question rep
A question for a question, with the advent of SELinux in the 2.6 kernel, does this really much\k things up with iptables and the permissive or targeting policy?
-
iptables question rep
disregard my last post
:)
-
I would open 22 through the firewall. Restrict your sshd to use DSA keys only. No root login of course. And make sure your latest openssh is compiled with --with-tcp-wrappers enabled.
This way you can simply vi /etc/hosts.allow add:
example
sshd: 192.168.4.0/29 yourname.com
This will give you local net access(optional) and give your domainname access. tcp wrapper will do an dns lookup and since you said your IP changes all the time but you will be using a dynamic dns updater. tcp wrapper will do an dns lookup providing of course that /etc/nsswitch.conf & /etc/resolv.conf has valid dns info...which im sure they do.
Plus you could add /etc/hosts.deny and put something like this to log failed attempts
ALL : ALL : spawn (/usr/bin/logger -p daemon.log WARNING! Attempt at %d from %c)&
~phatdee