sipscreen-ipqueue - A Linux iptables QUEUE target handler for screening incoming SIP phone calls
sipscreen-ipqueue <port> <decider program>
When run on a Linux router with properly configured iptables rules, sipscreen-ipqueue is responsible for instructing the kernel to accept or drop SIP control packets. For SIP packets that describe a new inbound call, sipscreen-ipqueue will extract the caller ID information contained in that SIP packet, and pass it to an external ``decider'' program for analysis. If the decider program terminates with an exit code of 0, the call is permitted and the SIP packet is allowed. If the decider program terminates with any other exit code, the call is rejected and the SIP packet is dropped on the floor.
The decider program can be either extremely simple (``/bin/false''), or extremely complicated. It is executed one for each SIP packet received that describes a new inbound phone call, and will be passed the caller's phone number as its first argument, and the caller's name as its second argument. In the event no caller ID information is provided in the SIP packet, the phone number will be represented as ``000-000-0000'', and the name as ``UNKNOWN''.
An example decider program, sipscreen-decider.sample, is distributed with sipscreen.
Lastly, it is important to note that the decider program will be run as root, unless it takes measures to drop root privileges.
An iptables configuration might look something like:
iptables -A FORWARD --in-interface eth0 --out-interface eth1 --protocol udp --dport 5061 --jump QUEUE
Modify the interface names and port number as appropriate.
Michael C. Toren <mct@toren.net>
For updates, please see http://michael.toren.net/code/sipscreen/
iptables(8), http://michael.toren.net/slides/ipqueue/slide001.html