1

I discovered OpenSIPS and all the possibilities a few days ago. I would just use it as a simple SIP proxy to get started. Proxy between my designated UAC and my UAS (asterisk, not natted). The goal is to use a proxy to prevent bot attacks on my UAS.

After installing OpenSIPS, I tried to configure my XLITE (natted) by simply adding the proxy URL in the configuration. It works, I register and I can see in my UAS peers my extensions with proxy IP. But when I make a call, I got a forbidden error. In debug mode, the log does not talk to me, I see a lot of information but nothing about this error.

I did not make any changes to the default configuration script. Is this behavior normal?

I also tried with VM on public IP as UAC (so not named), same thing.

Thank you for your help.

Olivier

Mayzz
  • 116
  • 1
  • 9

1 Answers1

2

Most likely, your SIP INVITE is hitting this block:

if (!is_myself("$rd")) {                                                                                  
    send_reply("403", "Relay Forbidden");                                                                  
    exit;                                                                                                 
}

What this means is that your OpenSIPS does not consider itself responsible for the domain (or IP) that your SIP UA has placed in the Request-URI and is trying to route towards. To fix this, just whitelist the Asterisk IP as a local (recognized) domain using the alias statement:

listen = udp:*:5060   
alias = 1.1.1.1
Liviu Chircu
  • 1,000
  • 3
  • 11
  • 24
  • Yes indeed, you were right. I modified the script to only accept requests from or going to my UAS. Now everything works except that my UAC is behind a NAT. I can make calls to the UAS but not receive them. I saw that there is a module "nat_traversal.so" and I loaded it but I still have the same problem. Maybe this is because the astersik extension is set to nat = force_rport, comedia? – Mayzz Oct 16 '18 at 21:22
  • using `nathelper.so`, call [fix_nated_register()](https://opensips.org/html/docs/modules/3.0.x/nathelper.html#func_fix_nated_register) before doing `save()`. OpenSIPS will remember the source IP and port, thus being able to route calls destined for your UAC. – Liviu Chircu Oct 16 '18 at 21:56
  • I just tried. Always the same result. I can call from a natured UAC an extension (which is on a non-natted UAC), but the extension hangs up after 3 seconds, while the natted UAC remains in communication. Conversely when the non-natted UAC calls the natured UAC, I have a timeout. This is very strange behavior... – Mayzz Oct 16 '18 at 22:31
  • make sure you set the `received_avp` parameter of both `usrloc` and `nathelper` to the same value, so `usrloc` properly stores the source IP/port. If this is done correctly, a new `Received::` entry should be printed out if you run `opensipsctl ul show` after you register your NAT'ed UAC. – Liviu Chircu Oct 17 '18 at 05:53
  • I changed usrloc received_avp but the problem persists. When I run "opensipsctl ul sho" I get this message "/tmp/opensips_fifo does not exist ERROR: Make sure you have the line 'modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")' in your config". With asterisk, I have 408 error (Request timeout) when I try call to natted extension from non natted phone. Must I change the nat parameter of natted extension to "no" ? Thank you very much for your help. – Mayzz Oct 20 '18 at 12:16
  • please check the opensips logs for any relevant errors, as well as the `mi_fifo` module configuration. The `opensipsctl` works fine if you use the apt.opensips.org or yum.opensips.org packages. – Liviu Chircu Oct 23 '18 at 08:41
  • I installed opensips 2.4.2 by yum. I'm on CentOS 7. My mi_fifo module is defined by default: loadmodule "mi_fifo.so" modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo") modparam("mi_fifo", "fifo_mode", 0666) I don't understand the message. – Mayzz Oct 26 '18 at 10:36
  • stupid question: is your opensips running? `ps aux | grep opensips` should clear out this mystery – Liviu Chircu Oct 27 '18 at 09:18
  • I get: root 7528 0.0 0.0 112724 960 pts/0 S+ 18:58 0:00 grep --color=auto opensips+ – Mayzz Nov 01 '18 at 17:59
  • I disabled the service to launch manually opensips this allow me to debug. – Mayzz Nov 01 '18 at 18:01