[SR-Users] Kamailio Inbound proxy to Asterisk - ACL Filtering

Henning Westerholt hw at skalatan.de
Tue Oct 12 22:39:28 CEST 2021 

Hello,

you can surely just add the original IP to an X-Header in Kamailio.

Have a look to the pseudo-variables (e.g. incoming IP address) and textops module, append_hf function for example.

Cheers,

Henning

-- 
Henning Westerholt - https://skalatan.de/blog/
Kamailio services - https://gilawa.com

-----Original Message-----
From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of Mihai Cezar
Sent: Tuesday, October 12, 2021 10:10 PM
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
Subject: Re: [SR-Users] Kamailio Inbound proxy to Asterisk - ACL Filtering

But is there something that I can do in kamailio to send the original IP to an asterisk server like in http with the XFF header?

On Mon, Oct 11, 2021 at 1:29 AM David Villasmil <david.villasmil.work at gmail.com> wrote:
>
> Hello, this is really an Asterisk question.
> Here in Kamailio we'd recommend you do that filtering at the proxy level, using the "permissions" module.
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
>
> On Sun, Oct 10, 2021 at 6:52 PM Mihai Cezar <cezar at mokalife.ro> wrote:
>>
>> Hi,
>>
>> The last matching rule is the one used. If no rule matches, then the 
>> connection is permitted.
>>
>> Example:
>> deny=0.0.0.0/0.0.0.0
>> permit=1.2.3.4/32
>> Deny every address except for the only one allowed.
>>
>> Basically the rules are processed from the first to the last.
>>
>> On Sat, Oct 9, 2021 at 3:26 PM Bugaian A. Vitalie <bugaian at gmail.com> wrote:
>> >
>> > Hi,
>> >
>> > I think its the order you apply the ACL, first permit some, then deny any?
>> >
>> > Vitalie.
>> >
>> > On Sat, Oct 9, 2021 at 1:58 PM Mihai Cezar <cezar at mokalife.ro> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I have an issue with filtering on the asterisk side, my requests are:
>> >> UsersPhones(bria) -> Kamailio -> Asterisk -> Sip Trunk Out.
>> >>
>> >> The goal is to manage a new layer of protection ( IP filtering / Whitelisting ).
>> >> When I try to compile a list of Whitelisted IP in sip.conf I get this error:
>> >>
>> >> NOTICE[205]: acl.c:748 ast_apply_acl: SIP contact ACL: Rejecting 
>> >> '145.72.23.45' due to a failure to pass ACL '(BASELINE)'
>> >> WARNING[205]: chan_sip.c:17061 parse_register_contact: Domain 
>> >> '5.12.16.2:48669' disallowed by contact ACL (violating IP
>> >> 145.72.23.45)
>> >> WARNING[205]: chan_sip.c:17933 register_verify: Registration 
>> >> denied because of contact ACL
>> >>
>> >> The IP 145.72.23.45, is the proxy kamailio and if I added it to 
>> >> sip.conf it works, but so does every ip afterwards.
>> >>
>> >> I tried with contactpermit also with permit, the result is the 
>> >> same as long as I permit the proxy ip it works. Is there something 
>> >> that I can do on the asterisk side to activate this filtering Or 
>> >> there is something that I can do in Kamailio so it will forward the realip ?
>> >>
>> >> contactdeny=0.0.0.0/0.0.0.0
>> >> contactpermit=145.72.23.45/32
>> >> contactpermit=5.12.16.2/32
>> >>
>> >>
>> >> Thanks in advance,
>> >>
>> >> __________________________________________________________
>> >> Kamailio - Users Mailing List - Non Commercial Discussions
>> >>   * sr-users at lists.kamailio.org
>> >> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> >> Edit mailing list options or unsubscribe:
>> >>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> > __________________________________________________________
>> > Kamailio - Users Mailing List - Non Commercial Discussions
>> >   * sr-users at lists.kamailio.org
>> > Important: keep the mailing list in the recipients, do not reply only to the sender!
>> > Edit mailing list options or unsubscribe:
>> >   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>   * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users at lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list