Главная » Блоги » Блог пользователя argo

SIP прокси для локальной сети

Представимся

home# uname -a
FreeBSD home.arg.su 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Thu Sep 20 14:15:35 MSD 2007     root@fr.vodka:/usr/src/sys/i386/compile/ARGO  i386

Ищем прокси

home# whereis siproxd
siproxd: /usr/ports/net/siproxd

Ставим

home# cd /usr/ports/net/siproxd
home# make install

Добавим загрузку в rc.conf

home# echo 'siproxd_enable="YES"' >> /etc/rc.conf

Вот конфиг

home# cat /usr/local/etc/siproxd.conf
#                                                           

# /etc/siproxd.conf - siproxd configuration file
######################################################################

# The interface names of INBOUND and OUTBOUND interface.

#

#    If siproxd is not running on the host doing the masquerading

#    but on a host within the private network segment, "in front" of

#    the masquerading router: define if_inbound and if_outbound to

#    point to the same interface (the inbound interface). In *addition*

#    define 'host_outbound' to hold your external (public) IP address

#    or a hostname that resolves to that address (use a dyndns address for

#    example).

#

if_inbound  = rl0

if_outbound = ng0

# uncomment the following line ONLY IF YOU KNOW WHAT YOU ARE DOING!

# READ THE FAQ FIRST!

#host_outbound = 1.2.3.4



######################################################################

# Access control.

#    Access lists in the form: IP/mask (ex. 10.0.0.1/24)

#    Multiple entries may be separated by commas NO SPACES ARE ALLOWED!!

#    Empty list means 'does not apply' - no filtering is done then.

#    For *allow* lists this means: always allow, for *deny* lists that

#    this means never deny.

#

#    hosts_allow_reg: defines nets from which we accept registrations

#                     Registrations are *ONLY* allowed from INBOUND!

#    hosts_allow_sip: defines nets from which we accept SIP traffic

#    hosts_deny_sip:  defines nets from which we deny SIP traffic

#

#    - The deny list takes precedence over the allow lists.

#    - The allow_reg list also implies allowance for sip.

#

#    Example for usage:

#      local private net -> allow_reg list

#      external nets (from which we accept incoming calls) -> allow_sip

#

#    NOTE: Improper setting here will result in dropped SIP packets!

#          Usually you do NOT want to define hosts_allow_sip!

#

hosts_allow_reg = 192.168.20.0/24,192.168.150.0/23,192.168.10.0/24

#hosts_allow_sip = 123.45.0.0/16,123.46.0.0/16

#hosts_deny_sip  = 10.0.0.0/8,11.0.0.0/8





######################################################################

# Port to listen for incoming SIP messages.

#    5060 is usually the correct choice - don't change this unless you

#    know what you're doing

#

sip_listen_port = 5060





######################################################################

# Shall we daemonize?

#

daemonize = 1



######################################################################

# What shall I log to syslog?

#   0 - DEBUGs, INFOs, WARNINGs and ERRORs

#   1 - INFOs, WARNINGs and ERRORs (this is the default)

#   2 - WARNINGs and ERRORs

#   3 - only ERRORs

#   4 - absolutely nothing (be careful - you will have no way to

#                           see what siproxd is doing - or NOT doing)

silence_log = 1



######################################################################

# Secure Enviroment settings:

#   user:	uid/gid to switch to after startup

#   chrootjail:	path to chroot to (chroot jail)

user = nobody

chrootjail = /usr/local/siproxd/



######################################################################

# Registration file:

#   Where to store the current registrations.

#   An empty value means we do not save registrations. Make sure that

#   the specified directory path does exist!

#   Note: If running in chroot jail, this path starts relative

#         to the jail.

registration_file = siproxd_registrations



######################################################################

# Automatically save current registrations every 'n' seconds

#

autosave_registrations = 300



######################################################################

# PID file:

#   Where to create the PID file.

#   This file holds the PID of the main thread of siproxd.

#   Note: If running in chroot jail, this path starts relative

#         to the jail.

pid_file = siproxd.pid



######################################################################

# global switch to control the RTP proxy behaviour

#       0 - RTP proxy disabled

#       1 - RTP proxy (UDP relay of siproxd)

#

# Note: IPCHAINS and IPTABLES(netfilter) support is no longer present!

#    

rtp_proxy_enable = 1



######################################################################

# Port range to allocate listen ports from for incoming RTP traffic

#    This should be a range that is not blocked by the firewall

#

rtp_port_low  = 7070

rtp_port_high = 7089



######################################################################

# Timeout for RTP streams

#    after this number of seconds, an RTP stream is considered dead

#    and proxying for it will be stopped.

#    Be aware that this timeout also applies to streams that are

#    in HOLD.

#

rtp_timeout = 300



######################################################################

# DSCP value for sent RTP packets

#    The Differentiated Service Code Point is a selector for

#    router's per-hop behaviours.

#    RFC2598 defined a "expedited forwarding" service. This service

#    is designed to allow ISPs to offer a service with attributes

#    similar to a "leased line". This service offers the ULTIMATE IN LOW

#    LOSS, LOW LATENCY AND LOW JITTER by ensuring that there is always

#    sufficent room in output queues for the contracted expedited forwarding

#    traffic.

#    The Expedited Forwarding service has a DSCP of 46.

#    Putting a 0 here means that siproxd does NOT set the DSCP field.

#    Siproxd must be started as root for this to work.

#

rtp_dscp = 46



######################################################################

# Dejitter value

#    Artificial delay to be used to de-jitter RTP data streams.

#    This time is in microseconds.

#    0 - completely disable dejitter (default)

#

rtp_input_dejitter  = 0

rtp_output_dejitter = 0



######################################################################

# Default Expiration timeout for Registrations

#    If a REGISTER request does not contain an Expires header

#    or expires= parameter in the Contact header, this number of

#    seconds will be used - and reported back to the UA in the answer.

#

default_expires = 600



######################################################################

# Proxy authentication

#    If proxy_auth_realm is defined (a string), clients will be forced

#    to authenticate themselfes at the proxy (for registration only).

#    To disable Authentication, simply comment out this line.

#    Note: The proxy_auth_pwfile is independent of the chroot jail.

#

#proxy_auth_realm = Authentication_Realm

#

# the (global) password to use (will be the same for all local clients)

#

#proxy_auth_passwd = password

#

# OR use individual per user passwords stored in a file

#

#proxy_auth_pwfile = /etc/siproxd_passwd.cfg

#

# 'proxy_auth_pwfile' has precedence over 'proxy_auth_passwd'



######################################################################

# Debug level... (setting to -1 will enable everything)

#

#  DBCLASS_BABBLE  0x00000001	   // babble (like entering/leaving func)

#  DBCLASS_NET     0x00000002	   // network

#  DBCLASS_SIP     0x00000004	   // SIP manipulations

#  DBCLASS_REG     0x00000008	   // Client registration

#  DBCLASS_NOSPEC  0x00000010	   // non specified class

#  DBCLASS_PROXY   0x00000020	   // proxy

#  DBCLASS_DNS     0x00000040	   // DNS stuff

#  DBCLASS_NETTRAF 0x00000080	   // network traffic

#  DBCLASS_CONFIG  0x00000100	   // configuration

#  DBCLASS_RTP     0x00000200	   // RTP proxy

#  DBCLASS_ACCESS  0x00000400	   // Access list evaluation

#  DBCLASS_AUTH    0x00000800	   // Authentication

#  DBCLASS_PLUGIN  0x00001000	   // Plugins

#  DCLASS_RTPBABL  0x00002000	   // RTP babble

#

debug_level =      0x00000000



######################################################################

# TCP debug port

#

# You may connect to this port from a remote machine and

# receive the debug output. This allows bettwer creation of

# odebug output on embedded systems that do not have enough

# memory for large disk files.

# Port number 0 means this feature is disabled.

#

debug_port = 0



######################################################################

# Mask feature (experimental)

#

# Some UAs will always use the host/ip they register with as

# host part in the registration record (which will be the inbound

# ip address / hostname of the proxy) and can not be told to use a

# different host part in the registration record (like sipphone, FWD,

# iptel, ...)

# This Mask feature allows to force such a UA to be masqueraded to

# use different host.

# -> Siemens SIP Phones seem to need this feature.

#

# Unles you really KNOW that you need this, don't enable it.

#

# mask_host=

# masked_host=

#

 mask_host=192.168.20.1			-- inbound IP address of proxy

 masked_host=XXX.XXX.ru		-- outbound hostname proxy



######################################################################

# User Agent Masquerading

#

# Siproxd can masquerade the User Agent string of your local UAs.

# Useful for Providers that do not work with some specific UAs

# (e.g. sipcall.ch - it does not work if your outgoing SIP

# traffic contains an Asterisk UA string...)

# Default is to do no replacement.

#

#ua_string = Siproxd-UA



######################################################################

# Use ;rport in via header

#

# may be required in some cases where you have a NAT router that

# remaps the source port 5060 to something different and the

# registrar sends back the responses to port 5060.

# Default is disabled

#   0 - do not add ;rport to via header

#   1 - do add ;rport to INCOMING via header only

#   2 - do add ;rport to OUTGOING via header only

#   3 - do add ;rport to OUTGOING and INCOMING via headers

#

# use_rport = 0



######################################################################

# Outbound proxy

#

# Siproxd itself can be told to send all traffic to another

# outbound proxy.

# You can use this feature to 'chain' multiple siproxd proxies

# if you have several masquerading firewalls to cross.

#

# outbound_proxy_host = my.outboundproxy.org

# outbound_proxy_port = 5060



######################################################################

# Outbound proxy (Provider specific)

#

# Outbound proxies can be specified on a per-domain base.

# This allows to use an outbound proxy needed for ProviderA

# and none (or another) for ProviderB.

#

#outbound_domain_name = freenet.de

#outbound_domain_host = proxy.for.domain.freende.de

#outbound_domain_port = 5060





######################################################################

# Loadable Plug-ins

#

# The plugins are loaded in the order they appear here. Also

# the processing order is given by the load order.

#

# plugin_dir: MUST be terminated with '/'

plugindir=/usr/local/lib/siproxd/

#

# List of plugins to load:

#load_plugin=plugin_demo.so

#load_plugin=plugin_shortdial.so

load_plugin=plugin_logcall.so

#load_plugin=plugin_defaulttarget.so

#load_plugin=plugin_fix_bogus_via.so





######################################################################

# Plugin_demo

#

plugin_demo_string = This_is_a_string_passed_to_the_demo_plugin





######################################################################

# Plugin_shortdial

#

# Quick Dial (Short Dial)

# ability to define quick dial numbers that can be accessed by

# dialing "*00" from a local phone. '00' corresponds to the entry number

# (pi_shortdial_entry) below. The '*' character can be chosen freely

# (pi_shortdial_akey).

# Note: If this module is enabled, there does NOT exist a way to dial

#       a "real" number like *01, siproxd will try to replace it by it's

#       quick dial entry.

#

# The first character is the "key", the following characters give

# the length of the number string. E.g. "*00" allows speed dials

# from *01 to *99. (the number "*100" will be passed through unprocessed)

plugin_shortdial_akey = *00

#

# *01 sipphone echo test

plugin_shortdial_entry = 17474743246

# *02 sipphone welcome message

plugin_shortdial_entry = 17474745000



######################################################################

# Plugin_defaulttarget

#

# Log redirects to syslog

plugin_defaulttarget_log = 1

# target must be a full SIP URI with the syntax

# sip:user@host[:port]

plugin_defaulttarget_target = sip:internal@dddd:port



######################################################################

# Plugin_fix_bogus_via

#

# Incoming (from public network) SIP messages are checked for broken

# SIP Via headers. If the IP address in the latest Via Header is

# part of the list below, it will be replaced by the IP where the

# SIP message has been received from.

plugin_fix_bogus_via_networks = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

В пакетный фильтр pf добавим правило

#sip
pass in on $ext_if inet proto udp from any to ($ext_if) port {5060, 7070:7089, 1024:65535} \
keep state