Has anyone looked at recent work on allowing two machines both behind NAT firewalls to establish a connection. There is information at http://nutss.gforge.cis.cornell.edu/stunt.php Interestingly, they classify NAT's by how they assign ports. It would be interested to make sure netfilter is doing the right thing.