14 Oct
2004
14 Oct
'04
3:06 a.m.
Hi Serusers,
I have been playing around this logic for some
time now and it's giving me a bit of headache. Any
help will be very appreciated.
Here's what I got. I use the default setting for
rtpproxy and tested all the nat scenarios from PC-PC
work great. Now I want to have the PC to call out to
PSTN and only allow registered client to be able to
make call to pstn gateway and at the same time to go
thru rtpproxy. My gateway ip address is 64.200.219.134
port 5060, it's a cisco as5350. Below is my
configuration, where should I put the setting and any
hint or example will be very appreciated.
----------------------
#
# $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei
Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters
------------------------
#debug=7 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/
listen=64.200.219.135
listen=127.0.0.1
alias=unlimitedtalk.net
alias=64.200.219.135
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
# ------------------ module loading
----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/nathelper.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters
---------------
# ------------- tm parameters
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
# ------------- rr parameters
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------- accounting parameters
modparam("acc", "log_missed_flag", 3)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for
speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 10)
# database location
modparam("usrloc", "db_url",
"mysql://ser:heslo@localhost/ser")
# ------------- auth parameters
# database location
modparam("auth_db", "db_url",
"mysql://ser:heslo@localhost/ser")
# allows clear text passwords in the mysql database
modparam("auth_db", "calculate_ha1", yes)
# name of password column in mysql database
modparam("auth_db", "password_column", "password")
# !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping
interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping
only clients behind NAT
# ----------------- setting module-specific parameters
---------------
# ------------------------- request routing logic
-------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long
requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too
big");
break;
};
# we record-route all messages -- to make sure
that
# subsequent messages will go through our
proxy; that's
# particularly good if upstream and downstream
entities
# use different transport protocol
record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
# !! Nathelper
# Special handling for NATed clients; first,
NAT test is
# executed: it looks for via!=received and
RFC1918 addresses
# in Contact (may fail if line-folding is
used); also,
# the received test should, if completed,
should check all
# vias for rpesence of received
if (nat_uac_test("3")) {
# Allow RR-ed requests, as these may
indicate that
# a NAT-enabled proxy takes care of
it; unless it is
# a REGISTER
if (method == "REGISTER" || !
search("^Record-Route:")) {
log("LOG: Someone trying to
register from private IP, rewriting\n");
# This will work only for user
agents that support symmetric
# communication. We tested quite
many of them and majority is
# smart enough to be symmetric. In
some phones it takes a configuration
# option. With Cisco 7960, it is
called NAT_Enable=Yes, with kphone it is
# called "symmetric media" and
"symmetric signalling".
fix_nated_contact(); # Rewrite
contact with source IP of signalling
if (method == "INVITE") {
fix_nated_sdp("1"); # Add
direction=active to SDP
};
force_rport(); # Add rport
parameter to topmost Via
setflag(6); # Mark as NATed
};
};
# we record-route all messages -- to make sure
that
# subsequent messages will go through our
proxy; that's
# particularly good if upstream and downstream
entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should
take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use
UsrLoc
# (in case, it does not work, use the
following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if
(!www_authorize("unlimitedtalk.net", "subscriber")) {
www_challenge("unlimitedtalk.net", "0");
break;
};
save("location");
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound
alias\r\n");
route(1);
break;
};
# native SIP destinations are handled
using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not
Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
# !! Nathelper
if
(uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&& !search("^Route:")){
sl_send_reply("479", "We don't forward to
private IP addresses");
break;
};
# if client or server know to be behind a NAT,
enable relay
if (isflagset(6)) {
force_rtp_proxy();
};
# NAT processing of replies; apply to all
transactions (for example,
# re-INVITEs from public to private UA are
hard to identify as
# NATed at the moment of request processing);
look at replies
t_on_reply("1");
# send it out now; use stateful forwarding as
it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
}
# !! Nathelper
onreply_route[1] {
# NATed transaction ?
if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
{
fix_nated_contact();
force_rtp_proxy();
# otherwise, is it a transaction behind a NAT and
we did not
# know at time of request processing ? (RFC1918
contacts)
} else if (nat_uac_test("1")) {
fix_nated_contact();
};
}
----------------------------
Thanks in advance,
Ted
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
25 Oct
25 Oct
10:14 p.m.
Hi Ted,
What you have to do is to added in (uri==myself) section, before
lookup(location) the GW diversion. Something like:
if (uri=~"uri_GW_like") {
t_relay_to_udp("GW_IP","GW_PORT");
break;
}
Best regards,
Marian Dumitru
Trung Nguyen wrote:
Hi Serusers,
I have been playing around this logic for some
time now and it's giving me a bit of headache. Any
help will be very appreciated.
Here's what I got. I use the default setting for
rtpproxy and tested all the nat scenarios from PC-PC
work great. Now I want to have the PC to call out to
PSTN and only allow registered client to be able to
make call to pstn gateway and at the same time to go
thru rtpproxy. My gateway ip address is 64.200.219.134
port 5060, it's a cisco as5350. Below is my
configuration, where should I put the setting and any
hint or example will be very appreciated.
----------------------
#
# $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei
Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters
------------------------
#debug=7 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/
listen=64.200.219.135
listen=127.0.0.1
alias=unlimitedtalk.net
alias=64.200.219.135
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
# ------------------ module loading
----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/nathelper.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# ----------------- setting module-specific parameters
---------------
# ------------- tm parameters
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
# ------------- rr parameters
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------- accounting parameters
modparam("acc", "log_missed_flag", 3)
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for
speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 10)
# database location
modparam("usrloc", "db_url",
"mysql://ser:heslo@localhost/ser")
# ------------- auth parameters
# database location
modparam("auth_db", "db_url",
"mysql://ser:heslo@localhost/ser")
# allows clear text passwords in the mysql database
modparam("auth_db", "calculate_ha1", yes)
# name of password column in mysql database
modparam("auth_db", "password_column", "password")
# !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping
interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping
only clients behind NAT
# ----------------- setting module-specific parameters
---------------
# ------------------------- request routing logic
-------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long
requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too
big");
break;
};
# we record-route all messages -- to make sure
that
# subsequent messages will go through our
proxy; that's
# particularly good if upstream and downstream
entities
# use different transport protocol
record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
# !! Nathelper
# Special handling for NATed clients; first,
NAT test is
# executed: it looks for via!=received and
RFC1918 addresses
# in Contact (may fail if line-folding is
used); also,
# the received test should, if completed,
should check all
# vias for rpesence of received
if (nat_uac_test("3")) {
# Allow RR-ed requests, as these may
indicate that
# a NAT-enabled proxy takes care of
it; unless it is
# a REGISTER
if (method == "REGISTER" || !
search("^Record-Route:")) {
log("LOG: Someone trying to
register from private IP, rewriting\n");
# This will work only for user
agents that support symmetric
# communication. We tested quite
many of them and majority is
# smart enough to be symmetric. In
some phones it takes a configuration
# option. With Cisco 7960, it is
called NAT_Enable=Yes, with kphone it is
# called "symmetric media" and
"symmetric signalling".
fix_nated_contact(); # Rewrite
contact with source IP of signalling
if (method == "INVITE") {
fix_nated_sdp("1"); # Add
direction=active to SDP
};
force_rport(); # Add rport
parameter to topmost Via
setflag(6); # Mark as NATed
};
};
# we record-route all messages -- to make sure
that
# subsequent messages will go through our
proxy; that's
# particularly good if upstream and downstream
entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should
take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use
UsrLoc
# (in case, it does not work, use the
following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if
(!www_authorize("unlimitedtalk.net", "subscriber")) {
www_challenge("unlimitedtalk.net", "0");
break;
};
save("location");
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound
alias\r\n");
route(1);
break;
};
# native SIP destinations are handled
using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not
Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
# !! Nathelper
if
(uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&& !search("^Route:")){
sl_send_reply("479", "We don't forward to
private IP addresses");
break;
};
# if client or server know to be behind a NAT,
enable relay
if (isflagset(6)) {
force_rtp_proxy();
};
# NAT processing of replies; apply to all
transactions (for example,
# re-INVITEs from public to private UA are
hard to identify as
# NATed at the moment of request processing);
look at replies
t_on_reply("1");
# send it out now; use stateful forwarding as
it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
}
# !! Nathelper
onreply_route[1] {
# NATed transaction ?
if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
{
fix_nated_contact();
force_rtp_proxy();
# otherwise, is it a transaction behind a NAT and
we did not
# know at time of request processing ? (RFC1918
contacts)
} else if (nat_uac_test("1")) {
fix_nated_contact();
};
}
----------------------------
Thanks in advance,
Ted
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
--
Voice Sistem
http://www.voice-sistem.ro
10:14 p.m.
Hi Ted,
What you have to do is to added in (uri==myself) section, before
lookup(location) the GW diversion. Something like:
if (uri=~"uri_GW_like") {
t_relay_to_udp("GW_IP","GW_PORT");
break;
}
Best regards,
Marian Dumitru
Trung Nguyen wrote:
Hi Serusers,
I have been playing around this logic for some
time now and it's giving me a bit of headache. Any
help will be very appreciated.
Here's what I got. I use the default setting for
rtpproxy and tested all the nat scenarios from PC-PC
work great. Now I want to have the PC to call out to
PSTN and only allow registered client to be able to
make call to pstn gateway and at the same time to go
thru rtpproxy. My gateway ip address is 64.200.219.134
port 5060, it's a cisco as5350. Below is my
configuration, where should I put the setting and any
hint or example will be very appreciated.
----------------------
--
Voice Sistem
http://www.voice-sistem.ro
7337
days inactive
7348
days old
2 comments
2 participants
participants (2)
-
Marian Dumitru -
Trung Nguyen