Hello,
I have an issue with filtering on the asterisk side, my requests are: UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
The goal is to manage a new layer of protection ( IP filtering / Whitelisting ). When I try to compile a list of Whitelisted IP in sip.conf I get this error:
NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting '145.72.23.45' due to a failure to pass ACL '(BASELINE)' WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain '5.12.16.2:48669' disallowed by contact ACL (violating IP 145.72.23.45) WARNING[205]: chan_sip.c:17933 register_verify: Registration denied because of contact ACL
The IP 145.72.23.45, is the proxy kamailio and if I added it to sip.conf it works, but so does every ip afterwards.
I tried with contactpermit also with permit, the result is the same as long as I permit the proxy ip it works. Is there something that I can do on the asterisk side to activate this filtering Or there is something that I can do in Kamailio so it will forward the realip ?
contactdeny=0.0.0.0/0.0.0.0 contactpermit=145.72.23.45/32 contactpermit=5.12.16.2/32
Thanks in advance,
Hi,
I think its the order you apply the ACL, first permit some, then deny any?
Vitalie.
On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar cezar@mokalife.ro wrote:
Hello,
I have an issue with filtering on the asterisk side, my requests are: UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
The goal is to manage a new layer of protection ( IP filtering / Whitelisting ). When I try to compile a list of Whitelisted IP in sip.conf I get this error:
NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting '145.72.23.45' due to a failure to pass ACL '(BASELINE)' WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain '5.12.16.2:48669' disallowed by contact ACL (violating IP 145.72.23.45) WARNING[205]: chan_sip.c:17933 register_verify: Registration denied because of contact ACL
The IP 145.72.23.45, is the proxy kamailio and if I added it to sip.conf it works, but so does every ip afterwards.
I tried with contactpermit also with permit, the result is the same as long as I permit the proxy ip it works. Is there something that I can do on the asterisk side to activate this filtering Or there is something that I can do in Kamailio so it will forward the realip ?
contactdeny=0.0.0.0/0.0.0.0 contactpermit=145.72.23.45/32 contactpermit=5.12.16.2/32
Thanks in advance,
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi,
The last matching rule is the one used. If no rule matches, then the connection is permitted.
Example: deny=0.0.0.0/0.0.0.0 permit=1.2.3.4/32 Deny every address except for the only one allowed.
Basically the rules are processed from the first to the last.
On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie bugaian@gmail.com wrote:
Hi,
I think its the order you apply the ACL, first permit some, then deny any?
Vitalie.
On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar cezar@mokalife.ro wrote:
Hello,
I have an issue with filtering on the asterisk side, my requests are: UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
The goal is to manage a new layer of protection ( IP filtering / Whitelisting ). When I try to compile a list of Whitelisted IP in sip.conf I get this error:
NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting '145.72.23.45' due to a failure to pass ACL '(BASELINE)' WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain '5.12.16.2:48669' disallowed by contact ACL (violating IP 145.72.23.45) WARNING[205]: chan_sip.c:17933 register_verify: Registration denied because of contact ACL
The IP 145.72.23.45, is the proxy kamailio and if I added it to sip.conf it works, but so does every ip afterwards.
I tried with contactpermit also with permit, the result is the same as long as I permit the proxy ip it works. Is there something that I can do on the asterisk side to activate this filtering Or there is something that I can do in Kamailio so it will forward the realip ?
contactdeny=0.0.0.0/0.0.0.0 contactpermit=145.72.23.45/32 contactpermit=5.12.16.2/32
Thanks in advance,
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello, this is really an Asterisk question. Here in Kamailio we'd recommend you do that filtering at the proxy level, using the "permissions" module.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Sun, Oct 10, 2021 at 6:52 PM Mihai Cezar cezar@mokalife.ro wrote:
Hi,
The last matching rule is the one used. If no rule matches, then the connection is permitted.
Example: deny=0.0.0.0/0.0.0.0 permit=1.2.3.4/32 Deny every address except for the only one allowed.
Basically the rules are processed from the first to the last.
On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie bugaian@gmail.com wrote:
Hi,
I think its the order you apply the ACL, first permit some, then deny
any?
Vitalie.
On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar cezar@mokalife.ro wrote:
Hello,
I have an issue with filtering on the asterisk side, my requests are: UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
The goal is to manage a new layer of protection ( IP filtering /
Whitelisting ).
When I try to compile a list of Whitelisted IP in sip.conf I get this
error:
NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting '145.72.23.45' due to a failure to pass ACL '(BASELINE)' WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain '5.12.16.2:48669' disallowed by contact ACL (violating IP 145.72.23.45) WARNING[205]: chan_sip.c:17933 register_verify: Registration denied because of contact ACL
The IP 145.72.23.45, is the proxy kamailio and if I added it to sip.conf it works, but so does every ip afterwards.
I tried with contactpermit also with permit, the result is the same as long as I permit the proxy ip it works. Is there something that I can do on the asterisk side to activate this filtering Or there is something that I can do in Kamailio so it will forward the realip ?
contactdeny=0.0.0.0/0.0.0.0 contactpermit=145.72.23.45/32 contactpermit=5.12.16.2/32
Thanks in advance,
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
But is there something that I can do in kamailio to send the original IP to an asterisk server like in http with the XFF header?
On Mon, Oct 11, 2021 at 1:29 AM David Villasmil david.villasmil.work@gmail.com wrote:
Hello, this is really an Asterisk question. Here in Kamailio we'd recommend you do that filtering at the proxy level, using the "permissions" module.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Sun, Oct 10, 2021 at 6:52 PM Mihai Cezar cezar@mokalife.ro wrote:
Hi,
The last matching rule is the one used. If no rule matches, then the connection is permitted.
Example: deny=0.0.0.0/0.0.0.0 permit=1.2.3.4/32 Deny every address except for the only one allowed.
Basically the rules are processed from the first to the last.
On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie bugaian@gmail.com wrote:
Hi,
I think its the order you apply the ACL, first permit some, then deny any?
Vitalie.
On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar cezar@mokalife.ro wrote:
Hello,
I have an issue with filtering on the asterisk side, my requests are: UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
The goal is to manage a new layer of protection ( IP filtering / Whitelisting ). When I try to compile a list of Whitelisted IP in sip.conf I get this error:
NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting '145.72.23.45' due to a failure to pass ACL '(BASELINE)' WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain '5.12.16.2:48669' disallowed by contact ACL (violating IP 145.72.23.45) WARNING[205]: chan_sip.c:17933 register_verify: Registration denied because of contact ACL
The IP 145.72.23.45, is the proxy kamailio and if I added it to sip.conf it works, but so does every ip afterwards.
I tried with contactpermit also with permit, the result is the same as long as I permit the proxy ip it works. Is there something that I can do on the asterisk side to activate this filtering Or there is something that I can do in Kamailio so it will forward the realip ?
contactdeny=0.0.0.0/0.0.0.0 contactpermit=145.72.23.45/32 contactpermit=5.12.16.2/32
Thanks in advance,
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello,
you can surely just add the original IP to an X-Header in Kamailio.
Have a look to the pseudo-variables (e.g. incoming IP address) and textops module, append_hf function for example.
Cheers,
Henning
Hi,
I am looking at Kamailio 5.5.x wiki, and they are a few pseudo variables, $si, $siz (don't know which one to use) Should I manipulate the "From" header?
Like so: remove_hf("From"); insert_hf("From: $fnsip:$fU@$si:$sp;tag=$ft\r\n","To");
Thanks in advance,
On Tue, Oct 12, 2021 at 11:39 PM Henning Westerholt hw@skalatan.de wrote:
Hello,
you can surely just add the original IP to an X-Header in Kamailio.
Have a look to the pseudo-variables (e.g. incoming IP address) and textops module, append_hf function for example.
Cheers,
Henning
-- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://gilawa.com
-----Original Message----- From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of Mihai Cezar Sent: Tuesday, October 12, 2021 10:10 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] Kamailio Inbound proxy to Asterisk - ACL Filtering
But is there something that I can do in kamailio to send the original IP to an asterisk server like in http with the XFF header?
On Mon, Oct 11, 2021 at 1:29 AM David Villasmil david.villasmil.work@gmail.com wrote:
Hello, this is really an Asterisk question. Here in Kamailio we'd recommend you do that filtering at the proxy level, using the "permissions" module.
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
On Sun, Oct 10, 2021 at 6:52 PM Mihai Cezar cezar@mokalife.ro wrote:
Hi,
The last matching rule is the one used. If no rule matches, then the connection is permitted.
Example: deny=0.0.0.0/0.0.0.0 permit=1.2.3.4/32 Deny every address except for the only one allowed.
Basically the rules are processed from the first to the last.
On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie bugaian@gmail.com wrote:
Hi,
I think its the order you apply the ACL, first permit some, then deny any?
Vitalie.
On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar cezar@mokalife.ro wrote:
Hello,
I have an issue with filtering on the asterisk side, my requests are: UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
The goal is to manage a new layer of protection ( IP filtering / Whitelisting ). When I try to compile a list of Whitelisted IP in sip.conf I get this error:
NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting '145.72.23.45' due to a failure to pass ACL '(BASELINE)' WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain '5.12.16.2:48669' disallowed by contact ACL (violating IP 145.72.23.45) WARNING[205]: chan_sip.c:17933 register_verify: Registration denied because of contact ACL
The IP 145.72.23.45, is the proxy kamailio and if I added it to sip.conf it works, but so does every ip afterwards.
I tried with contactpermit also with permit, the result is the same as long as I permit the proxy ip it works. Is there something that I can do on the asterisk side to activate this filtering Or there is something that I can do in Kamailio so it will forward the realip ?
contactdeny=0.0.0.0/0.0.0.0 contactpermit=145.72.23.45/32 contactpermit=5.12.16.2/32
Thanks in advance,
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello,
if you want to modify the From header you should use the uac_replace_from function from uac module and not the PVs. If you just want to pass the IP to the asterisk, do not change the From header but add e.g. a new "X-IP" header for it and evaluate it from asterisk.
Cheers,
Henning
-
Bugaian A. Vitalie -
David Villasmil -
Henning Westerholt -
Mihai Cezar