When you have a server reachable from internet, it is a very good idea to control who has access to it and how. For years I am using the very good tool called iptables in a very restricted way. But it happened to me a story that I am going to share with you that made change my mind…

Here is how I designed the secure SSH access to my server from the two places I have a physical access.

So I configured iptables on my server the most restrictive way I know from network perspective: only the two public IPs of my two ḧomes can access to SSH service. And it works fine. But by design, there is an issue about this choice I made. Indeed, my ISPs ¹⁾ provide me dynamic IPs. It may change without notice but for the last 3 years it did not. I accepted the risk because of two thins:

1. Since IPs don't change very often and I have two different ISP, the probability that both of them change at the same time is very low. So if one IP changes and I lose access to my server I can go the second home and update the configuration accordingly.
2. Worst case scenario, I can use the emergency console access from my server provider and update the configuration of iptables.