asterisk users - Feb 2014 - How to configure asterisk to only accept SIP from kamailio@localhost but exchange RTP on all interfaces?

I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following the setup
guide at
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I
want to run asterisk and kamailio on the same server, with SIP realtime
configuration
(MySQL database) so that kamailio authenticates and then forwards the
registration to asterisk on localhost. The setup calls for asterisk to be
configured to listen for SIP traffic on all interfaces, on a nonstandard port (I
chose 5080). It also calls for
blanking of the password for the SIP peer (in my case, a softphone), so that it
will not request for authentication again. I have managed to make a call with
working audio from the softphone to an extension on asterisk through kamailio.

My concern is that asterisk is left listening for SIP through all interfaces and
with no SIP passwords. I want to secure the setup against directed traffic to
the asterisk UDP port (5080), that bypasses the kamailio process. I tried
setting
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on localhost,
but this has the side effect of also removing audio - the call appears to be
successful on the softphone and on the asterisk logs, but no audio is actually
heard. My theory is
that the RTP traffic is being sent to kamailio instead of the softphone.

How can I set up asterisk so that it can send RTP anywhere but reject any SIP
traffic that does not come from the kamailio process on localhost?

Am 20.02.2014 19:48, schrieb Alex Villac??s Lasso:
> My concern is that asterisk is left listening for SIP through all
> interfaces and with no SIP passwords. I want to secure the setup against
> directed traffic to the asterisk UDP port (5080), that bypasses the
> kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will
> only listen for SIP traffic on localhost, but this has the side effect
> of also removing audio - the call appears to be successful on the
> softphone and on the asterisk logs, but no audio is actually heard. My
> theory is that the RTP traffic is being sent to kamailio instead of the
> softphone.
Theories are nice, but you should check whether they are true using, 
e.g., tcpdump :)

I would check with, for example:

tcpdump -nnnqt -s 0 -A -i eth0 port 5060

or instead of "port 5060" (or 5080) try "udp" to see what is
going on
with RTP. Change from eth0 to lo to see if there is really RTP going to 
nowhere. When looking at port 5060/5080, check the SDP header to see 
what kamilio/Asterisk/your softphone announce in terms of RTP.

I thought kamailio is a SIP server/proxy only and is not involved in RTP 
at all.

In any case, if you want to only allow only certain connections from 
somewhere to somewhere (including from/to certain ports), iptables is 
your friend if you are using Linux.

Hi Alex,

Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex Villac??s
Lasso:
> I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
> the setup guide at
> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
. I want to run asterisk and kamailio on the same server, with SIP realtime
configuration
> (MySQL database) so that kamailio authenticates and then forwards the
> registration to asterisk on localhost. The setup calls for asterisk to
> be configured to listen for SIP traffic on all interfaces, on a
> nonstandard port (I chose 5080). It also calls for 
> blanking of the password for the SIP peer (in my case, a softphone),
> so that it will not request for authentication again. I have managed
> to make a call with working audio from the softphone to an extension
> on asterisk through kamailio.
> 
> My concern is that asterisk is left listening for SIP through all
> interfaces and with no SIP passwords. I want to secure the setup
> against directed traffic to the asterisk UDP port (5080), that
> bypasses the kamailio process. I tried setting 
> bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
> localhost, but this has the side effect of also removing audio - the
> call appears to be successful on the softphone and on the asterisk
> logs, but no audio is actually heard. My theory is 
> that the RTP traffic is being sent to kamailio instead of the
> softphone.
> 
> How can I set up asterisk so that it can send RTP anywhere but reject
> any SIP traffic that does not come from the kamailio process on
> localhost?
> 
If You bind asterisk to 127.0.0.1 I think the media connection is set
for this IP. Your Softphone can not reach the correct 127.0.0.1
(localhost is everywhere).

I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
sip.conf You could secure Your setup with
        deny = 0.0.0.0/0.0.0.0
        permit = Your-LAN-Adress
This way asterisk accepts SIP from Your box only.

HTH,

Karsten