[SR-Users] Kamailio Inbound proxy to Asterisk - ACL Filtering

Mihai Cezar cezar at mokalife.ro
Sun Oct 10 19:50:31 CEST 2021 

Hi,

The last matching rule is the one used. If no rule matches, then the
connection is permitted.

Example:
deny=0.0.0.0/0.0.0.0
permit=1.2.3.4/32
Deny every address except for the only one allowed.

Basically the rules are processed from the first to the last.

On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie <bugaian at gmail.com> wrote:
>
> Hi,
>
> I think its the order you apply the ACL, first permit some, then deny any?
>
> Vitalie.
>
> On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar <cezar at mokalife.ro> wrote:
>>
>> Hello,
>>
>> I have an issue with filtering on the asterisk side, my requests are:
>> UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
>>
>> The goal is to manage a new layer of protection ( IP filtering / Whitelisting ).
>> When I try to compile a list of Whitelisted IP in sip.conf I get this error:
>>
>> NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting
>> '145.72.23.45' due to a failure to pass ACL '(BASELINE)'
>> WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain
>> '5.12.16.2:48669' disallowed by contact ACL (violating IP
>> 145.72.23.45)
>> WARNING[205]: chan_sip.c:17933 register_verify: Registration denied
>> because of contact ACL
>>
>> The IP 145.72.23.45, is the proxy kamailio and if I added it to
>> sip.conf it works, but so does every ip afterwards.
>>
>> I tried with contactpermit also with permit, the result is the same as
>> long as I permit the proxy ip it works. Is there something that I can
>> do on the asterisk side to activate this filtering Or there is
>> something that I can do in Kamailio so it will forward the realip ?
>>
>> contactdeny=0.0.0.0/0.0.0.0
>> contactpermit=145.72.23.45/32
>> contactpermit=5.12.16.2/32
>>
>>
>> Thanks in advance,
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>   * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list