<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Hello <span>Brett Nemeroff!<br><br>Thanks for your valuable suggestion and for security measure to avoid spoofing by bad customers, I will try it.<br><br>Thanks<br>Regards,<br>Zulqarnain<br><br><br><br><br></span>>Honestly, this is outside of the scope of this mailing list. but this<br>>may get you on track.<br><br>>First you'll need an asterisk context in the [general] section of your sip.conf:<br>>[general]<br>>context=defalut<br><br>>then in extensions.conf you'll need to use the SIP_HEADER function, to<br>>check for the header and do your magic based on the result. For your<br>>reference, here's the doc for the SIP_HEADER function<br><br>>[Syntax]<br>>SIP_HEADER(<name>[,<number>])<br><br>>[Synopsis]<br>>Gets the specified SIP
header<br><br>>[Description]<br>>Since there are several headers (such as Via) which can occur multiple<br>>times, SIP_HEADER takes an optional second argument to specify which header with<br>>that name to retrieve. Headers start at offset 1.<br>======%<===========<br><br><br>>Lastly, if you are going to add a header with opensips to include<br>>something that is an authoritative reference to the customer, then you<br>>MUST first remove the header from the incoming message or your<br>>customer could spoof it. Let me give you an example, I'm a "bad<br>>customer" and I see you are on the mailing list and are using<br>>X-source-ip: header to authenticate calls. So before I send you calls,<br>>I'll stick in a:<br>>X-source-ip: 192.168.1.1<br><br>>to mess you up. If you don't first remove the header, both headers (I<br>>think?) will likely reach the asterisk and heaven only knows which one<br>>asterisk will
use. :)<br><br>>Of course, alternatively, you can just do this IN opensips. I do this,<br>>works great. And as a big plus, It doesn't use asterisk or funky<br>>headers. :)<br>>-Brett<br><br><br><br>On Sat, Dec 12, 2009 at 1:31 PM, Muhammad Zulqarnain<br><<a ymailto="mailto:mzulqarnain2002@yahoo.com" href="mailto:mzulqarnain2002@yahoo.com">mzulqarnain2002@yahoo.com</a>> wrote:<br>> Hello!<br>><br>> Thanks Bodgan!<br>><br>> I have added following to sip header which add source IP in sip packet<br>> before sending to asterisk.<br>> append_hf("X-customer-ip: $si\r\n");<br>> Sip trace got following packet which add X-customer-ip: x.x.x.x to sip<br>> header but I am wondering how to told/setup asterisk to read source IP from<br>> additional sip header instead of network level. Also I have another switch<br>> named Voipswitch on which I would not be able to customize
any thing to<br>> honor incoming sip header for source ip validation so solution should work<br>> for all GW/Server other then asterisk only.<br>><br>> U 2009/12/12 18:58:32.829652 y.y.y.y:5060 -> z.z.z.z:5060<br>> INVITE sip:<a ymailto="mailto:123456789@y.y.y.y" href="mailto:123456789@y.y.y.y">123456789@y.y.y.y</a> SIP/2.0.<br>> Record-Route: <sip:y.y.y.y;lr;ftag=a16f2b41;did=882.11d0f5f>.<br>> To: <sip:<a ymailto="mailto:123456789@y.y.y.y" href="mailto:123456789@y.y.y.y">123456789@y.y.y.y</a>>.<br>> From: hello<sip:<a ymailto="mailto:hello@y.y.y.y" href="mailto:hello@y.y.y.y">hello@y.y.y.y</a>>;tag=a16f2b41.<br>> Via: SIP/2.0/UDP y.y.y.y;branch=z9hG4bKfb2e.a79595a4.0.<br>> Via: SIP/2.0/UDP<br>> x.x.x.x:7266;received=x.x.x.x;branch=z9hG4bK-d87543-197592634-1--d87543-;rport=7266.<br>> Call-ID: 9867b13bdc3a4f30.<br>> CSeq: 1 INVITE.<br>> Contact: <sip:<a ymailto="mailto:hello@x.x.x.x"
href="mailto:hello@x.x.x.x">hello@x.x.x.x</a>:7266>.<br>> Max-Forwards: 69.<br>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE,<br>> INFO.<br>> Content-Type: application/sdp.<br>> User-Agent: eyeBeam release 3007n stamp 17816.<br>> Content-Length: 237.<br>> X-customer-ip: x.x.x.x.<br>><br>> Please suggest solution with sample configs.<br>><br>> Thanks<br>> Regards<br>> Muhammad Zulqarnain<br>><br>><br>>>Hi Muhammad,<br>>><br>>>What you can do (and I know for sure it works with Asterisk), is to<br>>> configure opensips (LB) to add the real src IP (IP of the client) >into a<br>>> SIP header (in the request) and send it to Asterisk - asterisk will do IP<br>>> based auth but will take IP from that header (custom >name) instead of<br>>> taking it from network level.<br>><br>>>Regards,<br>>>Bogdan<br>><br>>
Muhammad Zulqarnain wrote:<br>>> Hello!<br>>><br>>> This is Zulqarnain and my first post to this mailing list. I just start<br>>> using OpenSIP and trying to get myself familiar with OpenSIP and it's config<br>>> files, method etc.<br>>><br>>> Well, I am trying to achieve following:<br>>> Client IP: x.x.x.x<br>>> OpenSIP: y.y.y.y<br>>> Asterisk: z.z.z.z<br>>><br>>> 1) Client -> OpenSIP (Load_balancer) -> Asterisk1, Asterisk2....<br>>> a) If Client Request is Register -> Relay to Asterisk (It is working<br>>> fine as peer is defined with user/passwd auth, host=dynamic)<br>>> b) If Client Request is INVITE -> Relay to Asterisk (Asterisk Reject as<br>>> peer is defined as IP Auth, type=peer, host=x.x.x.x)<br>>><br>>> "b" scenario failed as Asterisk read OpenSIP IP y.y.y.y and reject the<br>>> call as
Asterisk is expecting Source IP x.x.x.x instead of y.y.y.y<br>>><br>>> I tried following to fix but no success:<br>>><br>>> 1) 302 Redirect for GW Clients, who can only authenticate by IP and don't<br>>> support registration with user/passwd. But my DID Provider don't support 302<br>>> redirect although i have tested with Eyebeam Client in peer to peer mode and<br>>> it works. But as it didn't work with my provider so I tried another way:<br>>><br>>> 2) uac_replace_from & uac_replace_to function of uac.so module, I tried to<br>>> replace from/to field with client IP but still Invite is from OpenSIP IP<br>>> y.y.y.y and again Asterisk/Voipswitch (another switch) reject call.<br>>><br>>> If required I can post my config file as well here or pastebin for your<br>>> expert reviews. I would like to know if it is possible to achive above<br>>> scenario with OpenSIP,
if Yes then how, any example would appreciated.<br>>><br>>> Another small problem is that while setting up 302 redirect I wanted to<br>>> pass $du value to rewritehost("") as $du have the address return by<br>>> load_balancer of destination IP and rewritehost() only accept string.<br>>> Looking for suggestion on this as well.<br>>><br>>> Hopefully to receive positive reply by community.<br>>><br>>> Thanks<br>>> Regards,<br>>> Muhammad Zulqarnain<br>>> MSN: <a ymailto="mailto:zulqarnain@globalitvision.com" href="mailto:zulqarnain@globalitvision.com">zulqarnain@globalitvision.com</a><br>>><br>>> ------------------------------------------------------------------------<br>>><br>>> _______________________________________________<br>>> Users mailing list<br>>> <a ymailto="mailto:Users@lists.opensips.org"
href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>>><br>><br>><br>> -- Bogdan-Andrei Iancu<br>> www.voice-system.ro<br>><br>><br>> _______________________________________________<br>> Users mailing list<br>> <a ymailto="mailto:Users@lists.opensips.org" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>><br>><br></div>
<!-- cg7.c2.mail.re1.yahoo.com compressed/chunked Thu Dec 10 19:01:57 PST 2009 -->
</div><br>
</body></html>