This document attempts to describe a method of keeping your SSH port closed while not needed, and opening it for specific locations.
One of the aims during the "design" of this system was to avoid using any user-space server-side code, because that would have opened up new possibilities for exploitation. Therefore all the access control here is done with simple netfilter rules.
The system relies heavily on the recent match extension of netfilter. With recent, it's possible to write rules matching only when another rule has relatively recently matched, for the same source.
This will be used to set up an ACCEPT rule to allow SSH connections after a suitable "knocking" procedure has been executed. This will keep the SSH port closed for most random connection attempts from malicious sources.
In the interests of further obfuscation, the knocking procedure will consist of multiple (three, in the example setup) ports, which all must be "knocked" in the correct sequence, with UDP packets of suitable length, before the SSH port will be opened. Client-side tools for UNIX-like systems as well as Win32 systems are provided.