asterisk users - Jun 2010 - Create dialplan restrictions based on the IP Address of the SIP Client?

Hello,

We have a scenario in which there are 2 sites, one in europe and one in mexico,
they are connected via an IAX channel, problem is that the location in mexico
has only a dynamic IP connection to the Internet.

Because of the dynamic IP I can not create IP-Tables rules to only allow this
connection from the outside. But I need to restrict calls because there was a
break-in which called out.

So, is it possible to restrict sip-accounts, which connect through an outside
IP, to only be able to call to extensions and are not allowed to dial out?

Are there other possible solutions I am not aware of?

best regards
Ray


-
RunSolutions
     Open Source It Consulting
-
Email: rs at runsolutions.com

Parc Bit - Centro Empresarial Son Espanyol
Edificio Estel - Local 3D
07121 -  Palma de Mallorca
Baleares

On Fri, Jun 4, 2010 at 11:52 AM, Raimund Sacherer <rs at runsolutions.com>
wrote:
> Hello,
>
> We have a scenario in which there are 2 sites, one in europe and one in
mexico, they are connected via an IAX channel, problem is that the location in
mexico has only a dynamic IP connection to the Internet.
>
> Because of the dynamic IP I can not create IP-Tables rules to only allow
this connection from the outside. But I need to restrict > calls because
there was a break-in which called out.
What is the problem with iptables and dynamic IP? What exactly are you
trying to achieve? How would you on a static IP?
>
> So, is it possible to restrict sip-accounts, which connect through an
outside IP, to only be able to call to extensions and are not  allowed to dial
out?
Just pass the nescesarry context to your "outside" peers:

sip.conf:
[InsideCustomers]
context=DialOutWhereever ; you can dial out from this context
deny=0.0.0.0/0.0.0.0
allow=192.168.0.0/255.255.0.0

[OutsideCustomers]
context=ThisContextDoesNotExist
deny=0.0.0.0/0.0.0.0
allow=0.0.0.0/0.0.0.0

And your "outside" SIP peers will be jailed.
> Are there other possible solutions I am not aware of?
>
> best regards
> Ray

A dynamic DNS could be a solution. I once had a similar situation and I
signed up with dyndns.com, got a domain name and used it for SIP
registrations instead of IP addresses. My dlink router had the option to
setup dynamic dns entry, i.e. set it up with the login info of dyndns.com or
similar service, so whenever the IP changed, it updated it at dyndns.com.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-06-04 4:58 AM, "Raimund Sacherer" <rs at
runsolutions.com> wrote:

Hello,

We have a scenario in which there are 2 sites, one in europe and one in
mexico, they are connected via an IAX channel, problem is that the location
in mexico has only a dynamic IP connection to the Internet.

Because of the dynamic IP I can not create IP-Tables rules to only allow
this connection from the outside. But I need to restrict calls because there
was a break-in which called out.

So, is it possible to restrict sip-accounts, which connect through an
outside IP, to only be able to call to extensions and are not allowed to
dial out?

Are there other possible solutions I am not aware of?

best regards
Ray


-
RunSolutions
    Open Source It Consulting
-
Email: rs at runsolutions.com

Parc Bit - Centro Empresarial Son Espanyol
Edificio Estel - Local 3D
07121 -  Palma de Mallorca
Baleares

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100604/e092c61e/attachment.htm