[asterisk-users] How to configure asterisk to only accept SIP from kamailio at localhost but exchange RTP on all interfaces?

Karsten Wemheuer kwem at gmx.de
Wed Feb 26 03:19:44 CST 2014


Hi Alex,

Am Dienstag, den 25.02.2014, 13:04 -0500 schrieb Alex Villací­s Lasso:
> El 25/02/14 08:30, Karsten Wemheuer escribió:
> > Hi Alex,
> >
> > Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex Villací­s Lasso:
> >> I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
> >> the setup guide at
> >> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration
> >> (MySQL database) so that kamailio authenticates and then forwards the
> >> registration to asterisk on localhost. The setup calls for asterisk to
> >> be configured to listen for SIP traffic on all interfaces, on a
> >> nonstandard port (I chose 5080). It also calls for
> >> blanking of the password for the SIP peer (in my case, a softphone),
> >> so that it will not request for authentication again. I have managed
> >> to make a call with working audio from the softphone to an extension
> >> on asterisk through kamailio.
> >>
> >> My concern is that asterisk is left listening for SIP through all
> >> interfaces and with no SIP passwords. I want to secure the setup
> >> against directed traffic to the asterisk UDP port (5080), that
> >> bypasses the kamailio process. I tried setting
> >> bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
> >> localhost, but this has the side effect of also removing audio - the
> >> call appears to be successful on the softphone and on the asterisk
> >> logs, but no audio is actually heard. My theory is
> >> that the RTP traffic is being sent to kamailio instead of the
> >> softphone.
> >>
> >> How can I set up asterisk so that it can send RTP anywhere but reject
> >> any SIP traffic that does not come from the kamailio process on
> >> localhost?
> >>
> > If You bind asterisk to 127.0.0.1 I think the media connection is set
> > for this IP. Your Softphone can not reach the correct 127.0.0.1
> > (localhost is everywhere).
> >
> > I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
> > sip.conf You could secure Your setup with
> >          deny = 0.0.0.0/0.0.0.0
> >          permit = Your-LAN-Adress
> > This way asterisk accepts SIP from Your box only.
> >
> This might work, but would need to touch sip.conf every time the IP
> address changes. It would be nice to have a configuration that can be
> set up once and not modified again. That is why I wanted to set up
> localhost.
> 
It is the LAN address of Your Server, where asterisk and kamailio are
running. The permit entry allows communication between kamailio and
asterisk. Why would You change this address? Maybe I don't understand
Your setup.

Karsten






More information about the asterisk-users mailing list