[asterisk-users] How to configure asterisk to only accept SIP from kamailio at localhost but exchange RTP on all interfaces?

Alex Villací­s Lasso a_villacis at palosanto.com
Thu Feb 20 15:52:03 CST 2014 

El 20/02/14 15:07, Markus escribió:
> Am 20.02.2014 19:48, schrieb Alex Villací­s Lasso:
>> My concern is that asterisk is left listening for SIP through all
>> interfaces and with no SIP passwords. I want to secure the setup against
>> directed traffic to the asterisk UDP port (5080), that bypasses the
>> kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will
>> only listen for SIP traffic on localhost, but this has the side effect
>> of also removing audio - the call appears to be successful on the
>> softphone and on the asterisk logs, but no audio is actually heard. My
>> theory is that the RTP traffic is being sent to kamailio instead of the
>> softphone.
>
> Theories are nice, but you should check whether they are true using, e.g., tcpdump :)
>
> I would check with, for example:
>
> tcpdump -nnnqt -s 0 -A -i eth0 port 5060
>
> or instead of "port 5060" (or 5080) try "udp" to see what is going on with RTP. Change from eth0 to lo to see if there is really RTP going to nowhere. When looking at port 5060/5080, check the SDP header to see what kamilio/Asterisk/your softphone 
> announce in terms of RTP.
>
> I thought kamailio is a SIP server/proxy only and is not involved in RTP at all.
>

 From a wireshark capture, what the softphone sees when contacting kamailio (in the bindaddr=127.0.0.1 configuration) is that the media negotiation in the OK package contains a random UDP port (as expected) but indicates that the IP for RTP is 127.0.0.1 .

I have also tried deny=0.0.0.0/0.0.0.0 permit=127.0.0.1/255.0.0.0 , but the softphone then gets denied through the kamailio too. It seems deny/permit restricts the IP of the original contact, not the IP the SIP traffic was received through.

> In any case, if you want to only allow only certain connections from somewhere to somewhere (including from/to certain ports), iptables is your friend if you are using Linux.
>
>
I know iptables would solve my issue, and I will certainly use it, but I do not want to rely on iptables as the *only* thing that prevents the sip proxy bypass. I want an asterisk configuration that will only accept SIP signaling traffic coming from a 
specific IP (in my case, 127.0.0.1), but will then negotiate RTP across any interface that will contact the softphone. I want this to work with the IP of the original contact.

More information about the asterisk-users mailing list