asterisk users - Aug 2012 - Block outbound calls based on IP address

We are looking to further secure our Asterisk installation by inspecting the
IP address that a SIP INVITE comes from and performing some logic to
determine whether the call should proceed. The purpose of this is to prevent
calls to certain expensive destinations if the SIP message is coming from a
foreign IP that we don't expect.

I can see that it's possible to use the SIP_HEADER function however that may
not contain the public IP address. For example here is an invite from the
external IP address 58.28.1.1 but that information is not contained in the
SIP header:
U 58.28.1.1:5060 -> 203.89.1.1:5060
  INVITE sip:1000 at domain.com SIP/2.0..Via: SIP/2.0/UDP
192.168.1.103:5060;branch=z9hG4bK-d8754z-fc116e03a80ef774-1---d8754z-;rport.
.Max-Forwards: 70
  ..Contact: <sip:0003330822222261336 at 192.168.1.103:5060>..To:
<sip:1000 at domain.com>..From: <sip:0003330822222261336 at
domain.com>;tag=7
  dcb1e4d..Call-ID: NDMyZmRhY2Q4ZjNhMjAxMDJhOTA3OTU0MzMyNTkzNjI...CSeq: 1
INVITE..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
SUBSCRIBE, INF
  O..Content-Type: application/sdp..Supported: replaces..User-Agent: X-Lite
release 5.0.0 stamp 67284..Content-Length: 217....v=0..o=- 12988751314362048
1 IN IP4
  192.168.1.103..s=CounterPath X-Lite 5.0.0..c=IN IP4
192.168.1.103..b=AS:1638..t=0 0..m=audio 5062 RTP/AVP 0 8 3
101..a=rtpmap:101 telephone-event/8000..a=fmtp:1
  01 0-15..a=sendrecv..

Is it possible to determine the public IP address from the dialplan?

Any advice appreciated.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 9126 bytes
Desc: not available
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20120807/c9dab7b2/attachment.bin>

Hi,

You can try with SIPCHANINFO function otherwise you need to modify
chan_sip.c for getting this addresses.

thanks
Dhaval

On Tue, Aug 7, 2012 at 12:10 AM, CB <kjcsb at xnet.co.nz> wrote:
> We are looking to further secure our Asterisk installation by inspecting
> the
> IP address that a SIP INVITE comes from and performing some logic to
> determine whether the call should proceed. The purpose of this is to
> prevent
> calls to certain expensive destinations if the SIP message is coming from a
> foreign IP that we don't expect.
>
> I can see that it's possible to use the SIP_HEADER function however
that
> may
> not contain the public IP address. For example here is an invite from the
> external IP address 58.28.1.1 but that information is not contained in the
> SIP header:
> U 58.28.1.1:5060 -> 203.89.1.1:5060
>   INVITE sip:1000 at domain.com SIP/2.0..Via: SIP/2.0/UDP
> 192.168.1.103:5060
> ;branch=z9hG4bK-d8754z-fc116e03a80ef774-1---d8754z-;rport.
> .Max-Forwards: 70
>   ..Contact: <sip:0003330822222261336 at 192.168.1.103:5060>..To:
> <sip:1000 at domain.com>..From: <sip:0003330822222261336 at
domain.com>;tag=7
>   dcb1e4d..Call-ID: NDMyZmRhY2Q4ZjNhMjAxMDJhOTA3OTU0MzMyNTkzNjI...CSeq: 1
> INVITE..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
> SUBSCRIBE, INF
>   O..Content-Type: application/sdp..Supported: replaces..User-Agent: X-Lite
> release 5.0.0 stamp 67284..Content-Length: 217....v=0..o=-
> 12988751314362048
> 1 IN IP4
>   192.168.1.103..s=CounterPath X-Lite 5.0.0..c=IN IP4
> 192.168.1.103..b=AS:1638..t=0 0..m=audio 5062 RTP/AVP 0 8 3
> 101..a=rtpmap:101 telephone-event/8000..a=fmtp:1
>   01 0-15..a=sendrecv..
>
> Is it possible to determine the public IP address from the dialplan?
>
> Any advice appreciated.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20120807/4dc87545/attachment.htm>