Since some times now I have this problem as paypal got into dynamic IP's of sort.
I have (my own made) captive portal on linux/iptables/php .. I'd like to allow paypal always.. and before I used 'iptables -I my_table -d paypal.com -j ACCEPT' or return or whatever/wherever... Nowdays that dont work. So best I could do is make a script that would "dig" ip for every x minutes and write that IP into mysql database that is latter read by my iptables whenever needs updating.. I think I got arround 100 IP's and database stopped populating finally.
My question is... how can I allow paypal without entering every single IP into iptables? I'm sure others had this problem.. I was just wondering how anybody solved it their way?..
Unless you want to start personally authorizing every individual bank, escrow agency, and webmail provider in the world, I wouldn't even try policing ssl connections.
Explain the bigger picture here. What exactly are you blocking and not, with what goal?
We are small city where wireless is shared by our users... but occasionally (seasonally) we have tourists and small donation of $1 per day is required if you're that type of user.
Now.. everything is blocked and locked to linux machine but paypal needs to be allowed so user can pay which is then redirected back to database and server let's customer surf.
Right now I have 100 ip's in my database that is directly pointing to paypal servers.. but table seems lot large for just one page..
Any simpler thing I could do? I think mikrotik OS (how they call it) have some sort of local transparent proxy just for that page..? how do I setup that?
Perhaps connmark entire connection and mark it so that whenever keyword "paypal" is in packet is forwarded to local http proxy?
uhh.. hope I explaied it.
Yes, I think I understand now. You want to be able to cut off a customer from everything but paypal at will.
You have control your own local DNS server, yes? Override paypal's IP addresses locally. Force it to have one and only one IP per domain name. These IP's are unlikely to change any time soon. (There may be several sites involved, not everything on paypal necessarily happens on the same server.)
You cannot transparently proxy SSL connections, that'd be considered an attack.
1 Like
Hm you're right about ssl.. didn't think of that. makes sense.
As for IP .. hm... surely I could add it to dnsmasq.conf and hosts file.. but would it work? hm.. perhaps it just may.... I know of 4 dns to be resolved in order to get this throu... paypal.com www.paypal.com . paypalobjects.com and www.paypalobjects.com ... it just might work if I ground them to single of their resolved ip... Nice thinking, thanks for the insight.. that's good idea...
Whish there is module for iptables to always check domain name when hit is made... not just at time you add rule to kernel...
perhaps there is something like that? Would be even better.
That wouldn't be a good idea I think. If it had to do a domain name lookup every time it checked a certain rule, that would be a lot of DNS traffic!
Also, DNS can break down, glitch, or simply be slow. You don't want to make the kernel wait for itself -- ever. It might never stop.
hm.. u're right.. even with local caching and timeout. ... it would still be a bad idea...
plus.. come to think about it.. it would be on l7 .. not the way I thinked about it... as every packet should be checked for domain hm... come to think about it.. it wouldn't even be possible.. didn't really think it through. 
I've done exactly that with dnsmasq, redirecting in-office things to the server's internal IP instead of its external one. Don't see why it wouldn't work for all-external addresses.
1 Like
hm.. I think it just might work... if paypal doesn't redirect to second,third or whatever server in process...
I'll try it these days and inform how it goes 
Tnx