Paypal / iptables


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Paypal / iptables
# 1  
Old 04-25-2013
Tools Paypal / iptables

Since some times now I have this problem as paypal got into dynamic IP's of sort.

I have (my own made) captive portal on linux/iptables/php .. I'd like to allow paypal always.. and before I used 'iptables -I my_table -d paypal.com -j ACCEPT' or return or whatever/wherever... Nowdays that dont work. So best I could do is make a script that would "dig" ip for every x minutes and write that IP into mysql database that is latter read by my iptables whenever needs updating.. I think I got arround 100 IP's and database stopped populating finally.

My question is... how can I allow paypal without entering every single IP into iptables? I'm sure others had this problem.. I was just wondering how anybody solved it their way?..
# 2  
Old 04-25-2013
Unless you want to start personally authorizing every individual bank, escrow agency, and webmail provider in the world, I wouldn't even try policing ssl connections.

Explain the bigger picture here. What exactly are you blocking and not, with what goal?
# 3  
Old 04-25-2013
We are small city where wireless is shared by our users... but occasionally (seasonally) we have tourists and small donation of $1 per day is required if you're that type of user.

Now.. everything is blocked and locked to linux machine but paypal needs to be allowed so user can pay which is then redirected back to database and server let's customer surf.

Right now I have 100 ip's in my database that is directly pointing to paypal servers.. but table seems lot large for just one page..

Any simpler thing I could do? I think mikrotik OS (how they call it) have some sort of local transparent proxy just for that page..? how do I setup that?

Perhaps connmark entire connection and mark it so that whenever keyword "paypal" is in packet is forwarded to local http proxy?

uhh.. hope I explaied it.
# 4  
Old 04-25-2013
Yes, I think I understand now. You want to be able to cut off a customer from everything but paypal at will.

You have control your own local DNS server, yes? Override paypal's IP addresses locally. Force it to have one and only one IP per domain name. These IP's are unlikely to change any time soon. (There may be several sites involved, not everything on paypal necessarily happens on the same server.)

You cannot transparently proxy SSL connections, that'd be considered an attack.

Last edited by Corona688; 04-25-2013 at 05:11 PM..
This User Gave Thanks to Corona688 For This Post:
# 5  
Old 04-25-2013
Hm you're right about ssl.. didn't think of that. makes sense.
As for IP .. hm... surely I could add it to dnsmasq.conf and hosts file.. but would it work? hm.. perhaps it just may.... I know of 4 dns to be resolved in order to get this throu... paypal.com www.paypal.com . paypalobjects.com and www.paypalobjects.com ... it just might work if I ground them to single of their resolved ip... Nice thinking, thanks for the insight.. that's good idea...

Whish there is module for iptables to always check domain name when hit is made... not just at time you add rule to kernel...

perhaps there is something like that? Would be even better.
# 6  
Old 04-25-2013
Quote:
Originally Posted by DARKMAN_HR
Whish there is module for iptables to always check domain name when hit is made... not just at time you add rule to kernel...

perhaps there is something like that? Would be even better.
That wouldn't be a good idea I think. If it had to do a domain name lookup every time it checked a certain rule, that would be a lot of DNS traffic!

Also, DNS can break down, glitch, or simply be slow. You don't want to make the kernel wait for itself -- ever. It might never stop.
# 7  
Old 04-25-2013
hm.. u're right.. even with local caching and timeout. ... it would still be a bad idea...

plus.. come to think about it.. it would be on l7 .. not the way I thinked about it... as every packet should be checked for domain hm... come to think about it.. it wouldn't even be possible.. didn't really think it through. Smilie
Login or Register to Ask a Question

Previous Thread | Next Thread

2 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Using Curl to Access PayPal

can anyone please help me with this? i know paypal is a secure site, so a code like the below would be needed. but that's where i get stuck. curl -s -K https://www.paypal.com I need to be able to curl to paypal and download a list of latest purchases. i know there HAS to be a way to do... (0 Replies)
Discussion started by: SkySmart
0 Replies

2. Post Here to Contact Site Administrators and Moderators

donation paypal error

i'd like to donate but paypal is not functioning properly. after i login, the credit card default is always my old and i can't change it to the new one. i go to paypal, there's no option to delete previous credit card, i can add, but still when going to the first instruction, it's the same... (2 Replies)
Discussion started by: itik
2 Replies
Login or Register to Ask a Question