SER managing a telephony gateway

example: ser configured as PSTN gateway guard; PSTN gateway is located at 192.168.0.10

 #
 # $Id: pstn.cfg,v 1.2 2003/06/03 03:18:12 jiri Exp $
 #
 #

 # ------------------ module loading ----------------------------------

 loadmodule "modules/sl/sl.so"
 loadmodule "modules/tm/tm.so"
 loadmodule "modules/acc/acc.so"
 loadmodule "modules/rr/rr.so"
 loadmodule "modules/maxfwd/maxfwd.so"
 loadmodule "modules/mysql/mysql.so"
 loadmodule "modules/auth/auth.so"
 loadmodule "modules/auth_db/auth_db.so"
 loadmodule "modules/group/group.so"
 loadmodule "modules/uri/uri.so"

 # ----------------- setting module-specific parameters ---------------

 modparam("auth_db", "db_url","sql://ser:heslo@localhost/ser")
 modparam("auth_db", "calculate_ha1", yes)
 modparam("auth_db", "password_column", "password")

 # — acc params --
 modparam("acc", "log_level", 1)
 # that is the flag for which we will account — don't forget to
 # set the same one :-)
 modparam("acc", "log_flag", 1 )

 # -------------------------  request routing logic -------------------

 # main routing logic

 route{

       /* ********* ROUTINE CHECKS  ********************************** */

       # filter too old messages
       if (!mf_process_maxfwd_header("10")) {
               log("LOG: Too many hops\n");
               sl_send_reply("483","Too Many Hops");
               break;
       };
       if (len_gt( max_len )) {
               sl_send_reply("513", "Wow — Message too large");
               break;
       };

       /* ********* RR ********************************** */

       /* grant Route routing if route headers present */
       if (loose_route()) { t_relay(); break; };

       /* record-route INVITEs — all subsequent requests must visit us */
       if (method=="INVITE") {
               record_route();
       };

   # now check if it really is a PSTN destination which should be handled
       # by our gateway; if not, and the request is an invitation, drop it --
       # we cannot terminate it in PSTN; relay non-INVITE requests — it may
       # be for example BYEs sent by gateway to call originator
       if (!uri=~"sip:\+?[0-9]+@.*") {
               if (method=="INVITE") {
                       sl_send_reply("403", "Call cannot be served here");
               } else {
                       forward(uri:host, uri:port);
               };
               break;
       };

       # account completed transactions via syslog
       setflag(1);

       # free call destinations ... no authentication needed
       if ( is_user_in("Request-URI", "free-pstn")  /* free destinations */
                       | uri=~"sip:[79][0-9][0-9][0-9]@.*" /* local PBX */
                       | uri=~"sip:98[0-9][0-9][0-9][0-9]") {
               log("free call");
       } else if (src_ip==192.168.0.10) {
               # our gateway doesn't support digest authentication;
               # verify that a request is coming from it by source
               # address
               log("gateway-originated request");
       } else {
               # in all other cases, we need to check the request against
               # access control lists; first of all, verify request
               # originator's identity

               if (!proxy_authorize(   "gateway" /* realm */,
                               "subscriber" /* table name */))  {
                       proxy_challenge( "gateway" /* realm */, "0" /* no qop */ );
                       break;
               };

               # authorize only for INVITEs — RR/Contact may result in weird
               # things showing up in d-uri that would break our logic; our
               # major concern is INVITE which causes PSTN costs

               if (method=="INVITE") {

                       # does the authenticated user have a permission for local
                       # calls (destinations beginning with a single zero)?
                       # (i.e., is he in the "local" group?)
                       if (uri=~"sip:0[1-9][0-9]+@.*") {
                               if (!is_user_in("credentials", "local")) {
                                       sl_send_reply("403", "No permission for local calls");
                                       break;
                               };
                       # the same for long-distance (destinations begin with two zeros")
                       } else if (uri=~"sip:00[1-9][0-9]+@.*") {
                               if (!is_user_in("credentials", "ld")) {
                                       sl_send_reply("403", " no permission for LD ");
                                       break;
                               };
                       # the same for international calls (three zeros)
                       } else if (uri=~"sip:000[1-9][0-9]+@.*") {
                               if (!is_user_in("credentials", "int")) {
                                       sl_send_reply("403", "International permissions needed");
                                       break;
                               };
   # everything else (e.g., interplanetary calls) is denied
                       } else {
                               sl_send_reply("403", "Forbidden");
                               break;
                       };

               }; # INVITE to authorized PSTN

       }; # authorized PSTN

       # if you have passed through all the checks, let your call go to GW!

       rewritehostport("192.168.0.10:5060");

       # forward the request now
       if (!t_relay()) {
               sl_reply_error();
               break;
       };

 }

---

See also

• SIP method invite
• Used SER modules
  • sl.so: Stateless replies
  • tm.so: Transaction management
  • acc.so: Accounting
  • rr.so: Routing and record-routing
  • maxfwd.so: Keeps track of forwards
  • mysql.so: Mysql database access
  • auth.so: Authentication
  • auth_db.so: Authentication from database
  • group.so: Group authentication
  • uri.so: Various URI checks

---

Back to SER tips and tricks