[SR-Users] Kamailio Inbound proxy to Asterisk - ACL Filtering

Henning Westerholt hw at skalatan.de
Wed Oct 13 16:02:55 CEST 2021 

Hello,

if you want to modify the From header you should use the uac_replace_from function from uac module and not the PVs.
If you just want to pass the IP to the asterisk, do not change the From header but add e.g. a new "X-IP" header for it and evaluate it from asterisk.

Cheers,

Henning

-- 
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com

-----Original Message-----
From: Mihai Cezar <cezar at mokalife.ro> 
Sent: Wednesday, October 13, 2021 3:10 PM
To: Henning Westerholt <hw at skalatan.de>
Cc: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
Subject: Re: [SR-Users] Kamailio Inbound proxy to Asterisk - ACL Filtering

Hi,

I am looking at Kamailio 5.5.x wiki, and they are a few pseudo variables, $si, $siz (don't know which one to use) Should I manipulate the "From" header?

Like so:
remove_hf("From");
insert_hf("From: $fn<sip:$fU@$si:$sp>;tag=$ft\r\n","To");

Thanks in advance,

On Tue, Oct 12, 2021 at 11:39 PM Henning Westerholt <hw at skalatan.de> wrote:
>
> Hello,
>
> you can surely just add the original IP to an X-Header in Kamailio.
>
> Have a look to the pseudo-variables (e.g. incoming IP address) and textops module, append_hf function for example.
>
> Cheers,
>
> Henning
>
> --
> Henning Westerholt - https://skalatan.de/blog/ Kamailio services - 
> https://gilawa.com
>
> -----Original Message-----
> From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of 
> Mihai Cezar
> Sent: Tuesday, October 12, 2021 10:10 PM
> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> Subject: Re: [SR-Users] Kamailio Inbound proxy to Asterisk - ACL 
> Filtering
>
> But is there something that I can do in kamailio to send the original IP to an asterisk server like in http with the XFF header?
>
> On Mon, Oct 11, 2021 at 1:29 AM David Villasmil <david.villasmil.work at gmail.com> wrote:
> >
> > Hello, this is really an Asterisk question.
> > Here in Kamailio we'd recommend you do that filtering at the proxy level, using the "permissions" module.
> >
> > Regards,
> >
> > David Villasmil
> > email: david.villasmil.work at gmail.com
> > phone: +34669448337
> >
> >
> > On Sun, Oct 10, 2021 at 6:52 PM Mihai Cezar <cezar at mokalife.ro> wrote:
> >>
> >> Hi,
> >>
> >> The last matching rule is the one used. If no rule matches, then 
> >> the connection is permitted.
> >>
> >> Example:
> >> deny=0.0.0.0/0.0.0.0
> >> permit=1.2.3.4/32
> >> Deny every address except for the only one allowed.
> >>
> >> Basically the rules are processed from the first to the last.
> >>
> >> On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie <bugaian at gmail.com> wrote:
> >> >
> >> > Hi,
> >> >
> >> > I think its the order you apply the ACL, first permit some, then deny any?
> >> >
> >> > Vitalie.
> >> >
> >> > On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar <cezar at mokalife.ro> wrote:
> >> >>
> >> >> Hello,
> >> >>
> >> >> I have an issue with filtering on the asterisk side, my requests are:
> >> >> UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
> >> >>
> >> >> The goal is to manage a new layer of protection ( IP filtering / Whitelisting ).
> >> >> When I try to compile a list of Whitelisted IP in sip.conf I get this error:
> >> >>
> >> >> NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting 
> >> >> '145.72.23.45' due to a failure to pass ACL '(BASELINE)'
> >> >> WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain 
> >> >> '5.12.16.2:48669' disallowed by contact ACL (violating IP
> >> >> 145.72.23.45)
> >> >> WARNING[205]: chan_sip.c:17933 register_verify: Registration 
> >> >> denied because of contact ACL
> >> >>
> >> >> The IP 145.72.23.45, is the proxy kamailio and if I added it to 
> >> >> sip.conf it works, but so does every ip afterwards.
> >> >>
> >> >> I tried with contactpermit also with permit, the result is the 
> >> >> same as long as I permit the proxy ip it works. Is there 
> >> >> something that I can do on the asterisk side to activate this 
> >> >> filtering Or there is something that I can do in Kamailio so it will forward the realip ?
> >> >>
> >> >> contactdeny=0.0.0.0/0.0.0.0
> >> >> contactpermit=145.72.23.45/32
> >> >> contactpermit=5.12.16.2/32
> >> >>
> >> >>
> >> >> Thanks in advance,
> >> >>
> >> >> __________________________________________________________
> >> >> Kamailio - Users Mailing List - Non Commercial Discussions
> >> >>   * sr-users at lists.kamailio.org
> >> >> Important: keep the mailing list in the recipients, do not reply only to the sender!
> >> >> Edit mailing list options or unsubscribe:
> >> >>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> >> >
> >> > __________________________________________________________
> >> > Kamailio - Users Mailing List - Non Commercial Discussions
> >> >   * sr-users at lists.kamailio.org
> >> > Important: keep the mailing list in the recipients, do not reply only to the sender!
> >> > Edit mailing list options or unsubscribe:
> >> >   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> >>
> >> __________________________________________________________
> >> Kamailio - Users Mailing List - Non Commercial Discussions
> >>   * sr-users at lists.kamailio.org
> >> Important: keep the mailing list in the recipients, do not reply only to the sender!
> >> Edit mailing list options or unsubscribe:
> >>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> >
> > __________________________________________________________
> > Kamailio - Users Mailing List - Non Commercial Discussions
> >   * sr-users at lists.kamailio.org
> > Important: keep the mailing list in the recipients, do not reply only to the sender!
> > Edit mailing list options or unsubscribe:
> >   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list