# www.fccn.pt # 19-10-2005 # Jose Soler / Maxim Sobolev / Joao Pereira # # SER / NAThelper / RTPproxy in bridging mode # # SER with two IPs, in two non routable networks # 192.168.0.0 / 24 and 192.168.1.1 / 24 # # this machine has two IP addresses: # 192.168.0.1 and 192.168.1.1. # # SER com dois IPs em duas redes nao routeaveis # a maquina tem dois IPs: 192.168.0.1 e 192.168.1.1 # # it works runnig RTPproxy: # rtpproxy -l 192.168.0.1/192.168.1.1 # # Postgres version # # ----------- global configuration parameters ------------------------ fork=yes log_stderror=yes check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) fifo="/tmp/ser_fifo" fifo_mode=0662 debug=3 children=3 mhomed=1 # ------------------ module loading ---------------------------------- # Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/nathelper.so" # ----------------- setting module-specific parameters --------------- # -- usrloc params -- modparam("usrloc", "db_mode", 0) # -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes) # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # For NAT # We will use flag 6 to mark NATed contacts modparam("registrar", "nat_flag", 6) # Enable NAT pinging modparam("nathelper", "natping_interval", 60) # Ping only contacts that are known to be # behind NAT modparam("nathelper", "ping_nated_only", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len > max_len ) { sl_send_reply("513", "Message too big"); break; }; # maxim sobolev if (method == "REGISTER") { if (dst_ip == 192.168.0.1) { save("location-internal"); } else if (dst_ip == 192.168.1.1) { save("location-external"); } else { sl_send_reply("403", "Call cannot be served here"); }; break; }; # special handling for NATed clients; first, nat test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding used); also, # the received test should, if complete, should check all # vias for presence of received if (nat_uac_test("3")) { # allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER if (method == "REGISTER" || ! search("^Record-Route:")) { log("LOG: Someone trying to register from private IP, rewriting\n"); # This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart smart enough to be symmetric. In some phones, like # it takes a configuration option. With Cisco 7960, it is # called NAT_Enable=Yes, with kphone it is called # "symmetric media" and "symmetric signaling". (The latter # not part of public released yet.) fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed } }#nat_uac_test(3) # maxim sobolev if (method == "INVITE") { if (lookup("location-internal")) { if (dst_ip == 192.168.0.1){ if (force_rtp_proxy("FAII")) t_on_reply("1"); } if (dst_ip == 192.168.1.1){ if (force_rtp_proxy("FAEI")) t_on_reply("1"); } } else if (lookup("location-external")) { if (dst_ip == 192.168.0.1){ if (force_rtp_proxy("FAIE")) t_on_reply("1"); } if (dst_ip == 192.168.1.1){ if (force_rtp_proxy("FAEE")) t_on_reply("1"); } } else { sl_send_reply("403", "Call cannot be served here3"); break; }; } # loose-route processing if (loose_route()) { t_relay(); break; }; lookup("aliases"); # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digest authentication # if (!www_authorize("fccn.pt", "utilizador")) { # www_challenge("fccn.pt", "0"); # break; # }; save("location"); break; }; # native SIP destinations are handled using our USRLOC DB # if (!lookup("location")) { # sl_send_reply("404", "Not Found"); # break; # }; }; # forward to current uri now; use stateful forwarding; that # works reliably even if we forward from TCP to UDP #maxim sobolev if (method == "BYE" || method == "CANCEL") unforce_rtp_proxy(); # Do strict routing if pre-loaded route headers present if (loose_route()) { t_relay(); break; }; if (method == "INVITE") record_route(); if (!t_relay()) { sl_reply_error(); }; } #route # # Forcing media relay if necessary # route[1] { #if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){ # sl_send_reply("479", "We don't forward to private IP addresses"); # break; #}; #if (isflagset(6)) { force_rtp_proxy(); # I force everything through the proxy t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); #}; if (!t_relay()) { sl_reply_error(); break; }; } onreply_route[1] { if (!(status=~"183" || status=~"200")) break; force_rtp_proxy("FA"); }