Restrict access to SSH service based on source, even with dynamic source addresses. Uses dyndns free dns service. Extended Ryan Bowlby's (thanks!) script to support multiple dynamic hosts

gistfile1.sh

#!/bin/bash
#
# Auth: Ryan Bowlby
# Desc: Verify DynDNS address is listed in iptables. Logs to
#       /var/log/secure on most Linux systems. Check syslog.conf
#       to see where authpriv.notice is logged.
#
# FYI:  Before first use add dummy rule to iptables ruleset (save it).
#       ( i.e. /sbin/iptables -I INPUT 2 -s 127.0.0.1 -j ACCEPT )

dynDomains = ("los-angeles.dyndns-ip.com" "san-francisco.dyndns-ip.com")
dynIPs = ($(/usr/bin/dig +short $dynDomains[0]) $(/usr/bin/dig +short $dynDomains[1]))

while [ "$index" -lt "${#dynIPs[*]}" ]
do
  # verify dynIP resembles an IP
  if ! echo -n ${dynIPs[index]} | grep -Eq "[0-9.]+"; then
    /bin/logger -p authpriv.notice -t $(/bin/basename $0)\
    "Error: ${dynDomains[index]} is not a valid IP"
    exit 1
  fi
  # if dynIP has changed
  if ! /sbin/iptables -nL | /bin/grep -q "${dynIPs[index]}"; then
    /sbin/iptables -I INPUT 2 -s ${dynIPs[index]} -p tcp -m state --state NEW --dport 22 -j ACCEPT &&\
    /sbin/iptables -D INPUT 3  # Old dynIP deletion, use file if you hate simple.
    /bin/logger -p authpriv.notice -t $(/bin/basename $0) "${dynDomains[index]} updated to ${dynIPs[index]}"
  fi
  ((index++))
done