I understand what you are saying, but what was hoping for. Was a
solution whereby the src ip is not part of my whitelist.
For example, I have a dialup account (dynamic ip) at home. If I need to
SSH into my linux box from home. I cant because the ip I have been
allocted will not be in the whitelist.
Can I ask why you would not be able to get in from your dynamic IP at home? The rule set will allow (how ever many NEW attempts you designate) to connect for a specified number of times in a specified amount of time. You don't have to have your dynamic IP in the list as any IP will still be able to initiate NEW connections a few times before the rule starts TARPITing / DROPing the connection. There is also the fact that you could configure your SSH server to listen on a (2nd) port at a higher port number that you would know about that most people would not. This port would not be processed by this script and thus you would be able to connect from anywhere.
Grant. . . .