This is pretty lame to call a "hack", but I wanted to share the knowledge I couldn't easily find on the Net about how to do this.
I'm using iptables at home for IP masquerading, and my wife Beatrice wanted her Mac's iSight video chat to work through the firewall. Here's the incantation I eventually ended up adding to my /etc/init.d/iptables: # and set up DNAT for iChat AV stuff external_interface=209.157.132.91 beatrices_mac_ip=10.6.7.253 "$iptables" -t nat -A PREROUTING -p udp -d "$external_interface" --dport 5060 -j DNAT --to "$beatrices_mac_ip" "$iptables" -t nat -A PREROUTING -p udp -d "$external_interface" --dport 16384:16403 -j DNAT --to "$beatrices_mac_ip" This apparently rewrites packets destined for such-and-such a UDP port on the external interface so that they are destined for the same port on Bea's Mac. We've tested initiating connections in both directions. I imagine port 5060 would be the same for allowing any SIP connection to work through the firewall, but I imagine SIP applications other than iChat AV might require a different set of ports for the actual data.
