#Nathelper modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { log(1, "LOG: Too many hops\n"); sl_send_reply("483","Too Many Hops"); break; }; /* ********* RR ********************************** */ /* Do strict routing if route headers present */ loose_route(); log(1, "Incomming SIP Packet"); if (nat_uac_test("3")) { log(1, "LOG: We are behind NAT, oh boy \n"); if (method == "REGISTER" || !search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n"); fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { log(1, "LOG: We are Inviting from behind NAT, oh boy \n"); fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; if (method=="REGISTER") { log(1, "Registration starte\n"); if (!www_authorize("mysipdomain.com", "subscriber" )) { # challenge if none or invalid credentials log(1, "We are not authorized"); www_challenge("mysipdomain.com" , "0"); break; }; if (!save("location")) { sl_reply_error(); }; break; }; if(!lookup("location")&& uri=~"\+?[1-9]{3}+@.*" ) { log(1,"Going for route 10"); route(10); break; } } route[10] { # !! Nathelper if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); break; }; # if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); }; # NAT processing of replies; apply to all transactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1"); #check for authorization if (!( method==ACK | method=="CANCEL" )) { if (!proxy_authorize( "mysipdomain.com", "subscriber")) { proxy_challenge( "mysipdomain.com" /* realm */, "0" /* no qop */ ); break; # let's check from=id ... avoids accounting confusion } else if (method=="INVITE" & !check_from()) { log(1,"LOG: From Cheating attempt\n"); sl_send_reply("403", "That is ugly -- use From=id next time (gw)"); break; }; }; #forward to asterisk for getting out a here if(~uri=~"sip:\+") { log(1, "Rewriting + prefix with 00"); strip(1); prefix("00"); } #exec_dset("/usr/local/ser/scripts/loadbalance.sh"); rewritehostport("sip.mysipdomain.com:5065"); log(1, "LOG: *************************************************\n"); log(1, "LOG: Exernal Call, forwarding thru * for Carrier stuff\n"); log(1, "LOG: *************************************************\n"); if (!t_relay()) { sl_reply_error(); break; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918 contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; }