All, I have acquired access to a Cisco CallManager (on the internet) and a pile of Cisco VIP-30 VOIP phones. I have got everything up and working when they are directly connected to the 'net but now I want to put some of the phones at friend's houses behind the Linux boxen that I've built as NAT/firewalls for their cable modem and ADSL connections... I'm using RedHat 7.3 but with own compiled 2.4.20 kernel and iptables 1.2.7a. Problem is that the phone gets it's directory number and connects just fine using the Skinny protocol on and TCP:2000 and TFTP on UDP:69, however the called party can hear me but the return UDPs don't get back in. A bit of tcpdump-ing shows that there's no obvious/direct relationship between the outgoing UDP port numbers on the voice stream and the incomming reply packets, and hence netfilter/nat has no way to know what do do unless there's a helper. Searching on google reveals only a posting from back in the summer by Fred N. van Kempen about the subject/problem: http://lists.netfilter.org/pipermail/netfilter-devel/2002-July/008844.html Does anyone know if there's a fix for this? Is there a helper (connection tracking) module that can prime the netfilter/DNAT to get the packets back in by watching the connection set up? Any help appreciated. Mike
