Hi Everyone,

Have a VoIP network with VoIP/SIP soft clients behind a Linux Firewall(CentOS 5.5) running Conntrakd and iptables.

i have SIP port enabled and a DNAT rule to allow incoming connections on Port X directly re-routed to the client that is listening on port Y.

When the client registers to a Registrar on the public internet, all SIP responses are allowed by the firewall and forwarded to the client. Incoming call attempts(INVITE) is also allowed because it comes from the same Registrar. NAT/PAT is done correctly using random ports but if it is the first time, it sticks with 5060.

However, when I send a message from a different server to the same port(public IP address/port of the firewall that was sent in the SIP REGISTER message), it does not get NAT/PAT and the firewall drops it with an ICMP host not reachable(port not reachable) error code.

The conntrack module shows this connection as REPLIED while The connection to the Registrar shows as ASSURED. An attempt to manually change the state also gave an error.

Is there a way to have the state-full firewall, and at the same time have conntrack/iptables not drop the incoming packet from a different address? Any/All assistance is greatly appreciated.

Thanks in advance
Nair