[OpenSIPS-Users] Opensips

Антон Лытаев avlytaev82 at gmail.com
Fri Feb 28 09:14:44 CET 2014 

Hi. Please help.
We have:
One MGW: Cisco AS5350
UserID=telephone number and registration on OpenSips through MySQL
Call to PSTN pass through MGW with prefix 9999:

Now, such a scheme works:

(UAC       )---->sip----->Opensips 1.7--->SIP--->MGW Cisco
85.85.85.95               85.85.85.85                 85.85.85.11
RTP----------------------------------------------------------->MGW
Cisco-------->PSTN

Here is an example CFG-file that works now:
The message "183" prefix and visible IP gateway. And that could be a threat of
fraud.
Here: if you use the function topology_hiding (); it does not happen a fair
exchange:
"BYE" comes to the message "404", "Not here" rather than "200 OK"
I use client_nat_test to cut off all requests for registration are NAT, but it
does not work!

port=5060
listen=udp:85.85.85.85:5060 #Opensips-server
route{
if (has_totag()) {
    if (loose_route()) {
    if (is_method("BYE")) {
    setflag(1);
    setflag(3);}
    else if (is_method("INVITE")) {
    #topology_hiding();
    record_route();    }
    route(1);}
    else {
    if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
    t_relay();
    exit;}
    else {
    exit;
    }}
    sl_send_reply("404","Not here");
    }
    exit;
}

#initial requests
if (is_method("CANCEL")){
if (t_check_trans())
t_relay();
exit;}

t_check_trans();

# authenticate if from local subscriber (uncomment to enable auth)
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)

if (!(method=="REGISTER") && from_uri==myself) #/*no multidomain version*/
{if (!proxy_authorize("", "subscriber"))
{proxy_challenge("", "0");
exit;}
if (!db_check_from())
{sl_send_reply("403","Forbidden auth ID");
exit;}
consume_credentials();
}

# preloaded route checking
if (loose_route())
{xlog("L_ERR","Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))    sl_send_reply("403","Preload Route denied");
exit;
}

# record routing
if (!is_method("REGISTER|MESSAGE")) record_route();

# account only INVITEs    if (is_method("INVITE"))
{
# if (!src_ip=="85.85.85.11") #CISCO MGW IP
#{
#        topology_hiding();
#        }
setflag(1); # do accounting
}

if (!uri==myself)    ## replace with following line if multi-domain support
is used
{
route(1);}

# requests for my domain
if (is_method("PUBLISH")){
sl_send_reply("503", "Service Unavailable");
exit;}

if (is_method("REGISTER")){
#        if(client_nat_test("3"))
#        {
#            sl_send_reply("403", "Not working NAT");
#            exit;
#        }

# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("", "subscriber"))    {
www_challenge("", "0");
exit;}
if (!db_check_to()) {
sl_send_reply("403","Forbidden auth ID");
exit;}
if (!save("location"))
sl_reply_error();
exit;
}

if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}

# do lookup with method filtering
if ((src_ip=="85.85.85.11") && (!lookup("location")))
{
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}}

# when routing via usrloc, log the missed calls also
setflag(2);

if (src_ip=="85.85.85.11") {
route(1);}
route(3);
}

route[1] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");}
if (!t_relay()) {
sl_reply_error();};
exit;}
####################################################
route[3] {
prefix("9999");
rewritehostport("85.85.85.11:5060");
if (!t_relay()) {
sl_reply_error();
};exit;
}
####################################################
branch_route[2] { xlog("new branch at $ru\n");}
onreply_route[2] { xlog("incoming reply\n"); }

failure_route[1] {
if (t_was_cancelled()) {exit;}}


It's not safe, it's necessary to build a new wiring diagram:
(UAC      )--->sip,RTP---->(Opensips--->rtp,SIP------>)----->MGW
Cisco--->PSTN
85.85.85.95                    (85.85.85.85   192.168.0.2)      192.168.0.3

questions:
1. to hide the network topology from the users (can be used dialog module,
function: topology_hiding?)
2. hide RTP traffic to MGW for Opensips-server (can be used MediaProxy or
rtpproxy)?
3. Cut off all who are NAT!!!
Please, give examples opensips.cfg-file ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140228/16d22069/attachment-0001.htm>

More information about the Users mailing list