[asterisk-users] How to configure asterisk to only accept SIP from kamailio at localhost but exchange RTP on all interfaces?
kwem at gmx.de
Wed Feb 26 03:19:44 CST 2014
Am Dienstag, den 25.02.2014, 13:04 -0500 schrieb Alex Villacís Lasso:
> El 25/02/14 08:30, Karsten Wemheuer escribió:
> > Hi Alex,
> > Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex Villacís Lasso:
> >> I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
> >> the setup guide at
> >> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration
> >> (MySQL database) so that kamailio authenticates and then forwards the
> >> registration to asterisk on localhost. The setup calls for asterisk to
> >> be configured to listen for SIP traffic on all interfaces, on a
> >> nonstandard port (I chose 5080). It also calls for
> >> blanking of the password for the SIP peer (in my case, a softphone),
> >> so that it will not request for authentication again. I have managed
> >> to make a call with working audio from the softphone to an extension
> >> on asterisk through kamailio.
> >> My concern is that asterisk is left listening for SIP through all
> >> interfaces and with no SIP passwords. I want to secure the setup
> >> against directed traffic to the asterisk UDP port (5080), that
> >> bypasses the kamailio process. I tried setting
> >> bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
> >> localhost, but this has the side effect of also removing audio - the
> >> call appears to be successful on the softphone and on the asterisk
> >> logs, but no audio is actually heard. My theory is
> >> that the RTP traffic is being sent to kamailio instead of the
> >> softphone.
> >> How can I set up asterisk so that it can send RTP anywhere but reject
> >> any SIP traffic that does not come from the kamailio process on
> >> localhost?
> > If You bind asterisk to 127.0.0.1 I think the media connection is set
> > for this IP. Your Softphone can not reach the correct 127.0.0.1
> > (localhost is everywhere).
> > I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
> > sip.conf You could secure Your setup with
> > deny = 0.0.0.0/0.0.0.0
> > permit = Your-LAN-Adress
> > This way asterisk accepts SIP from Your box only.
> This might work, but would need to touch sip.conf every time the IP
> address changes. It would be nice to have a configuration that can be
> set up once and not modified again. That is why I wanted to set up
It is the LAN address of Your Server, where asterisk and kamailio are
running. The permit entry allows communication between kamailio and
asterisk. Why would You change this address? Maybe I don't understand
More information about the asterisk-users