How to Set Rules SSH Port 22 only from My Country IPs

pakdhetimin · March 7, 2026, 12:52pm

Hello

Please help How can i set Rules that access SSH Port 22 only from My Country IPs that is Indonesia?

best regard

sahsanu · March 7, 2026, 12:56pm

Hi,

Take a look to this post (you must adapt it to use Indonesian IPs and only port 22):

pakdhetimin · March 7, 2026, 1:02pm

oh okay. thank you, i will try it

aaronkempf · March 9, 2026, 4:19am

are we ever going to be able to BIND the rule to a FQDN?

I don’t have a static.. it changes 2+ times a month.

I DO have ‘dyn-dns’ setup on a couple of machines on my network. I think THAT part is working

I hope you don’t mind me asking on THIS thread. I haven’t been here for about 18 months

sahsanu · March 9, 2026, 5:47am

No, you can’t do that.

I made this script to add my home’s dyn ip to iptables to allow access to all the ports on my Hestia server.

#!/usr/bin/env bash
set -euo pipefail
export PATH="/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/hestia/bin"

if [[ $EUID -ne 0 ]]; then
    echo "Script must be executed as root user" >&2
    exit 1
fi

basedir="/var/lib/add_fw_rule_dyn"
host="$1"
port=0
iplist="$basedir/${host}_${port}.iplist"
iplist_log="$basedir/${host}_${port}.iplist.log"
cur_ip=""
saved_ip=""

if [[ -z $host ]]; then
    echo "Usage $0 domainname port"
    exit 1
fi

if [[ ! -d $basedir ]]; then mkdir -p "$basedir"; fi

if ! cur_ip="$(dig +short "$host" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | tail -n1)"; then
    echo "Error resolving domain $host"
    exit 2
fi

if [[ -z $cur_ip ]]; then
    echo "Error, host $host is not resolving"
    exit 3
fi

if [[ -f $iplist ]]; then saved_ip="$(head -n1 "$iplist")"; fi

if [[ "$cur_ip" != "$saved_ip" ]] || [[ -z "$saved_ip" ]]; then
    echo "$cur_ip" >"$iplist"
    echo "$(date +'%Y-%m-%d %H:%M:%S') $cur_ip" >>"$iplist_log"
    if ! iptables -S | grep "${cur_ip}.*ACCEPT" &>/dev/null; then
        position="$(iptables -L INPUT -v -n --line-numbers | awk '/RELATED,ESTABLISHED/ {print $1+1}')"
        iptables -I INPUT "$position" -s "$cur_ip"/32 -j ACCEPT
    fi
else
    if ! iptables -S | grep "${cur_ip}.*ACCEPT" &>/dev/null; then
        position="$(iptables -L INPUT -v -n --line-numbers | awk '/RELATED,ESTABLISHED/ {print $1+1}')"
        iptables -I INPUT "$position" -s "$cur_ip"/32 -j ACCEPT
    fi
fi

if [[ -n "$saved_ip" && "$cur_ip" != "$saved_ip" ]]; then
    if iptables -S | grep "${saved_ip}.*ACCEPT" &>/dev/null; then
        iptables -D INPUT -s "$saved_ip"/32 -j ACCEPT
    fi
fi

Save the script as for example /usr/local/bin/add_fw_rule_dyn, give execution perms and create a cron job for root to execute the script every 5 minutes.

The script must be used like this:

/usr/local/bin/add_fw_rule_dyn your.dyn.dns