[OpenSIPS-Users] Opensips

Bogdan-Andrei Iancu bogdan at opensips.org
Wed Mar 5 19:05:25 CET 2014 

Hello,

The best options for you is to use dialog module with topology hiding. 
This can be easily combined with any of the media relays (rtpproxy or 
mediaproxy) for hiding the media path.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 28.02.2014 10:14, ????? ?????? wrote:
> Hi. Please help.
> We have:
> One MGW: Cisco AS5350
> UserID=telephone number and registration on OpenSips through MySQL
> Call to PSTN pass through MGW with prefix 9999:
>
> Now, such a scheme works:
>
> (UAC       )---->sip----->Opensips 1.7--->SIP--->MGW Cisco
> 85.85.85.95               85.85.85.85 85.85.85.11
> RTP----------------------------------------------------------->MGW 
> Cisco-------->PSTN
>
> Here is an example CFG-file that works now:
> The message "183" prefix and visible IP gateway. And that could be a 
> threat of fraud.
> Here: if you use the function topology_hiding (); it does not happen a 
> fair exchange:
> "BYE" comes to the message "404", "Not here" rather than "200 OK"
> I use client_nat_test to cut off all requests for registration are 
> NAT, but it does not work!
>
> port=5060
> listen=udp:85.85.85.85:5060 <http://85.85.85.85:5060> #Opensips-server
> route{
> if (has_totag()) {
>     if (loose_route()) {
>     if (is_method("BYE")) {
>     setflag(1);
>     setflag(3);}
>     else if (is_method("INVITE")) {
>     #topology_hiding();
>     record_route();    }
>     route(1);}
>     else {
>     if ( is_method("ACK") ) {
>     if ( t_check_trans() ) {
>     t_relay();
>     exit;}
>     else {
>     exit;
>     }}
>     sl_send_reply("404","Not here");
>     }
>     exit;
> }
>
> #initial requests
> if (is_method("CANCEL")){
> if (t_check_trans())
> t_relay();
> exit;}
>
> t_check_trans();
>
> # authenticate if from local subscriber (uncomment to enable auth)
> # authenticate all initial non-REGISTER request that pretend to be
> # generated by local subscriber (domain from FROM URI is local)
>
> if (!(method=="REGISTER") && from_uri==myself) #/*no multidomain version*/
> {if (!proxy_authorize("", "subscriber"))
> {proxy_challenge("", "0");
> exit;}
> if (!db_check_from())
> {sl_send_reply("403","Forbidden auth ID");
> exit;}
> consume_credentials();
> }
>
> # preloaded route checking
> if (loose_route())
> {xlog("L_ERR","Attempt to route with preloaded Route's 
> [$fu/$tu/$ru/$ci]");
> if (!is_method("ACK"))    sl_send_reply("403","Preload Route denied");
> exit;
> }
>
> # record routing
> if (!is_method("REGISTER|MESSAGE")) record_route();
>
> # account only INVITEs    if (is_method("INVITE"))
> {
> # if (!src_ip=="85.85.85.11") #CISCO MGW IP
> #{
> #        topology_hiding();
> #        }
> setflag(1); # do accounting
> }
>
> if (!uri==myself)    ## replace with following line if multi-domain 
> support is used
> {
> route(1);}
>
> # requests for my domain
> if (is_method("PUBLISH")){
> sl_send_reply("503", "Service Unavailable");
> exit;}
>
> if (is_method("REGISTER")){
> #        if(client_nat_test("3"))
> #        {
> #            sl_send_reply("403", "Not working NAT");
> #            exit;
> #        }
>
> # authenticate the REGISTER requests (uncomment to enable auth)
> if (!www_authorize("", "subscriber"))    {
> www_challenge("", "0");
> exit;}
> if (!db_check_to()) {
> sl_send_reply("403","Forbidden auth ID");
> exit;}
> if (!save("location"))
> sl_reply_error();
> exit;
> }
>
> if ($rU==NULL) {
> # request with no Username in RURI
> sl_send_reply("484","Address Incomplete");
> exit;
> }
>
> # do lookup with method filtering
> if ((src_ip=="85.85.85.11") && (!lookup("location")))
> {
> switch ($retcode) {
> case -1:
> case -3:
> t_newtran();
> t_reply("404", "Not Found");
> exit;
> case -2:
> sl_send_reply("405", "Method Not Allowed");
> exit;
> }}
>
> # when routing via usrloc, log the missed calls also
> setflag(2);
>
> if (src_ip=="85.85.85.11") {
> route(1);}
> route(3);
> }
>
> route[1] {
> # for INVITEs enable some additional helper routes
> if (is_method("INVITE")) {
> t_on_branch("2");
> t_on_reply("2");
> t_on_failure("1");}
> if (!t_relay()) {
> sl_reply_error();};
> exit;}
> ####################################################
> route[3] {
> prefix("9999");
> rewritehostport("85.85.85.11:5060 <http://85.85.85.11:5060>");
> if (!t_relay()) {
> sl_reply_error();
> };exit;
> }
> ####################################################
> branch_route[2] { xlog("new branch at $ru\n");}
> onreply_route[2] { xlog("incoming reply\n"); }
>
> failure_route[1] {
> if (t_was_cancelled()) {exit;}}
>
>
> It's not safe, it's necessary to build a new wiring diagram:
> (UAC  )--->sip,RTP---->(Opensips--->rtp,SIP------>)----->MGW Cisco--->PSTN
> 85.85.85.95                    (85.85.85.85   192.168.0.2) 192.168.0.3
>
> questions:
> 1. to hide the network topology from the users (can be used dialog 
> module, function: topology_hiding?)
> 2. hide RTP traffic to MGW for Opensips-server (can be used MediaProxy 
> or rtpproxy)?
> 3. Cut off all who are NAT!!!
> Please, give examples opensips.cfg-file ?
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140305/5373a20e/attachment.htm>

More information about the Users mailing list