Paypal / iptables | Unix Linux Forums | UNIX for Advanced & Expert Users

  Go Back    


UNIX for Advanced & Expert Users Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD.

Paypal / iptables

UNIX for Advanced & Expert Users


Tags
iptables, linux, paypal

Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 04-25-2013
darkman_hr darkman_hr is offline
Registered User
 
Join Date: Oct 2010
Last Activity: 27 July 2013, 11:49 AM EDT
Location: Sibenik, Croatia
Posts: 17
Thanks: 3
Thanked 0 Times in 0 Posts
Tools Paypal / iptables

Since some times now I have this problem as paypal got into dynamic IP's of sort.

I have (my own made) captive portal on linux/iptables/php .. I'd like to allow paypal always.. and before I used 'iptables -I my_table -d paypal.com -j ACCEPT' or return or whatever/wherever... Nowdays that dont work. So best I could do is make a script that would "dig" ip for every x minutes and write that IP into mysql database that is latter read by my iptables whenever needs updating.. I think I got arround 100 IP's and database stopped populating finally.

My question is... how can I allow paypal without entering every single IP into iptables? I'm sure others had this problem.. I was just wondering how anybody solved it their way?..
Sponsored Links
    #2  
Old 04-25-2013
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 31 October 2014, 9:36 PM EDT
Location: Saskatchewan
Posts: 19,745
Thanks: 832
Thanked 3,375 Times in 3,162 Posts
Unless you want to start personally authorizing every individual bank, escrow agency, and webmail provider in the world, I wouldn't even try policing ssl connections.

Explain the bigger picture here. What exactly are you blocking and not, with what goal?
Sponsored Links
    #3  
Old 04-25-2013
darkman_hr darkman_hr is offline
Registered User
 
Join Date: Oct 2010
Last Activity: 27 July 2013, 11:49 AM EDT
Location: Sibenik, Croatia
Posts: 17
Thanks: 3
Thanked 0 Times in 0 Posts
We are small city where wireless is shared by our users... but occasionally (seasonally) we have tourists and small donation of $1 per day is required if you're that type of user.

Now.. everything is blocked and locked to linux machine but paypal needs to be allowed so user can pay which is then redirected back to database and server let's customer surf.

Right now I have 100 ip's in my database that is directly pointing to paypal servers.. but table seems lot large for just one page..

Any simpler thing I could do? I think mikrotik OS (how they call it) have some sort of local transparent proxy just for that page..? how do I setup that?

Perhaps connmark entire connection and mark it so that whenever keyword "paypal" is in packet is forwarded to local http proxy?

uhh.. hope I explaied it.
    #4  
Old 04-25-2013
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 31 October 2014, 9:36 PM EDT
Location: Saskatchewan
Posts: 19,745
Thanks: 832
Thanked 3,375 Times in 3,162 Posts
Yes, I think I understand now. You want to be able to cut off a customer from everything but paypal at will.

You have control your own local DNS server, yes? Override paypal's IP addresses locally. Force it to have one and only one IP per domain name. These IP's are unlikely to change any time soon. (There may be several sites involved, not everything on paypal necessarily happens on the same server.)

You cannot transparently proxy SSL connections, that'd be considered an attack.

Last edited by Corona688; 04-25-2013 at 04:11 PM..
The Following User Says Thank You to Corona688 For This Useful Post:
darkman_hr (04-25-2013)
Sponsored Links
    #5  
Old 04-25-2013
darkman_hr darkman_hr is offline
Registered User
 
Join Date: Oct 2010
Last Activity: 27 July 2013, 11:49 AM EDT
Location: Sibenik, Croatia
Posts: 17
Thanks: 3
Thanked 0 Times in 0 Posts
Hm you're right about ssl.. didn't think of that. makes sense.
As for IP .. hm... surely I could add it to dnsmasq.conf and hosts file.. but would it work? hm.. perhaps it just may.... I know of 4 dns to be resolved in order to get this throu... paypal.com www.paypal.com . paypalobjects.com and www.paypalobjects.com ... it just might work if I ground them to single of their resolved ip... Nice thinking, thanks for the insight.. that's good idea...

Whish there is module for iptables to always check domain name when hit is made... not just at time you add rule to kernel...

perhaps there is something like that? Would be even better.
Sponsored Links
    #6  
Old 04-25-2013
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 31 October 2014, 9:36 PM EDT
Location: Saskatchewan
Posts: 19,745
Thanks: 832
Thanked 3,375 Times in 3,162 Posts
Quote:
Originally Posted by DARKMAN_HR View Post
Whish there is module for iptables to always check domain name when hit is made... not just at time you add rule to kernel...

perhaps there is something like that? Would be even better.
That wouldn't be a good idea I think. If it had to do a domain name lookup every time it checked a certain rule, that would be a lot of DNS traffic!

Also, DNS can break down, glitch, or simply be slow. You don't want to make the kernel wait for itself -- ever. It might never stop.
Sponsored Links
    #7  
Old 04-25-2013
darkman_hr darkman_hr is offline
Registered User
 
Join Date: Oct 2010
Last Activity: 27 July 2013, 11:49 AM EDT
Location: Sibenik, Croatia
Posts: 17
Thanks: 3
Thanked 0 Times in 0 Posts
hm.. u're right.. even with local caching and timeout. ... it would still be a bad idea...

plus.. come to think about it.. it would be on l7 .. not the way I thinked about it... as every packet should be checked for domain hm... come to think about it.. it wouldn't even be possible.. didn't really think it through.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Using Curl to Access PayPal SkySmart Shell Programming and Scripting 0 02-18-2011 12:42 PM
donation paypal error itik Post Here to Contact Site Administrators and Moderators 2 05-01-2008 10:31 PM



All times are GMT -4. The time now is 12:42 AM.