Tuesday, January 23, 2007

Masquerade your Asterisk Server with SIProxd or Firewalled Asterisk

Siproxd is an proxy/masquerading daemon specially designed for SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections possible via an masquerading firewall. It allows SIP clients (like kphone, linphone) to work behind an IP masquerading firewall or router. It could also be installed on the firewall itself. Installation is very simple as well.

SIP (Session Initiation Protocol, RFC3261) is used by Softphones and Hardphones (Voice over IP) to initiate a VoIP communication. By itself, SIP does not work via masquerading firewalls as the transfered data contains IP addresses and port numbers.

STUN servers are used to help SIP clients to figure out its public visible IP address and use this one instead of th non routable IP address. As a drawback, usually on the firewall, a wide range of ports must be opened up for the incoming RTP traffic and the SIP client must also support STUN, which most of them do.

Siproxd provides another approach (application layer proxy) and places itself as outbound proxy in between the local SIP client and the remote SIP client or SIP registrar. It rewrites the SIP traffic on the fly and also includes a RTP proxy for incoming and outgoing RTP traffic (the actual audio potion of a SIP based VoIP call). The port range for receiving RTP data is configurable, so the firewall needs to allow /open only a small port range.

Now here is the Masquerading Asterisk Server;

The Asterisk server will register itself as a SIP UA (Client) to an external SIP registrar. In this example sipphone.com is used as the external SIP provider. As Asterisk does not allow to specify an SIP outbound proxy we need to use transparent proxying. The context values of the asterisk configuration needs to be adapted to fit your needs.


Various Configuration files;

siproxd.conf:

if_inbound = eth0
if_outbound = ppp0
hosts_allow_reg = 10.0.0.0/24
sip_listen_port = 5060
daemonize = 1
silence_log = 1
log_calls = 1
user = siproxd
registration_file = /var/lib/siproxd_registrations
pid_file = /var/run/siproxd/siproxd.pid
rtp_proxy_enable = 1
rtp_port_low = 7070
rtp_port_high = 7089
rtp_timeout = 300
default_expires = 600
debug_level = 0
debug_port = 0

Firewall configuration (iptables):

# redirect outgoing SIP traffic to siproxd (myself)
iptables -t nat -A PREROUTING -m udp -p udp -i eth0 \
--source 10.0.0.11 --destination-port 5060 -j REDIRECT
# allow incoming SIP and RTP traffic
iptables -A INPUT -m udp -p udp -i ppp0 --dport 5060 -j ACCEPT
iptables -A INPUT -m udp -p udp -i ppp0 --dport 7070:7080 -j ACCEPT

Asterisk configuration (SIP related part):

Note: Very important are the fromuser and fromdomain keywords in the client section. They are required to have Asterisk send the correct From headers in SIP dialogs.

sip.conf:

[general]
port = 5060 ; Port to bind to (SIP is 5060)
bindaddr = 0.0.0.0 ; Address to bind to (all addresses on machine)
context = from-sip-external ; Send unknown SIP callers to this context
callerid = Unknown
defaultexpirey = 900

; codecs
disallow=all
allow=gsm ; 13 Kbps
allow=ulaw ; 64 Kbps
allow=alaw ; 64 Kbps

; SIP Trunk to sipphone.com you can use you own outbound SIP trunk here
; the SIP number is taken randomly for this example
register=17476691234:@proxy01.sipphone.com

[17476691234]
type=user
nat=never
context=from-pstn
canreinvite=no

[sipphone1]
username=17476691234
type=peer
qualify=2000
host=proxy01.sipphone.com
fromuser=17476691234
fromdomain=proxy01.sipphone.com
context=from-pstn
canreinvite=no
secret=

; local SIP extensions
[200]
username=200
type=friend
secret=XXXXXX
qualify=500
port=5060
pickupgroup=
nat=never
mailbox=
host=dynamic
dtmfmode=rfc2833
disallow=
context=from-internal
canreinvite=no
callgroup=
callerid="Extension 200" <200>
allow=all

There you have it, a firewalled Asterisk server or Trixbox.

Links;
SIPROXD at Sourceforge.net

0 comments:

Blog Widget by LinkWithin