#!/bin/bash

######First, set SSHD back to the default port 22. 
######Next, figure out what port or ports you want to do SSH over. 
######Were going to use 99, 88, and 8889 here.
######Now we take care of the Hypothetical Evil Unprivileged User 
######by not accepting anything over those ports in the first place. 
######This is only effective for port 8889 but well do all three ports for the sake of completeness.

/usr/sbin/iptables -t filter -A INPUT -p tcp -m multiport --dports 99,88,8889 -j REJECT --reject-with tcp-reset

######Then, pick a number between 1 and 4294967295 Ill use 0x13F ()
######Were going to tell iptables to reject anything without this mark coming into port 22.

/usr/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m connmark ! --mark 0x13F -j REJECT --reject-with tcp-reset

######Now well tell iptables what ports we will accept for ssh.

/usr/sbin/iptables -t filter -A FORWARD -p tcp -m multiport --dports 99,88,8889 -j ACCEPT

######In the mangle table we slap our mark on these packets.

/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 99,88,8889 -j CONNMARK --set-mark 0x13F

######Finally in the nat table we tell iptables to send the marked packets back to port 22

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport --dport 99,88,8889 -j REDIRECT --to-ports 22

exit 0