I've got a router performing simple NAT translation using iptables
iptables -t nat -o -j MASQUERADE
This works fine almost all of the time except for one particular case where some TCP RST and FIN packets are leaving the router un-NAT'd.
In this scenario I setup 1 or 2 client computers streaming Flash video (eg www.nasa.gov/ntv)
At the router I then tear down and re-establish the public interface (which is a modem)
As expected the Flash streams stall out. After the connection is re-established and I try to refresh the Flash pages, I see some TCP RST and [FIN,ACK] packets leaving the public interface (I assume as Flash attempts to recover its stream).
I don't know how these packets can leave the router non-NAT'd
Best Answer
Thanks for the tip. I was just what I needed to set me on the right track.
The root cause was unfiltered forwarding between lan and public interface. When the public interface got torn down it cleared the conntrack entries. The clients then tried to revive their connections and ended up sending out RST and FIN packets. Since NAT gets setup only on NEW connections, these packets then left the router unmodified.
I had to change my forwarding rule to only allow NEW,ESTABLISHED,RELATED packets to get forwarded from private lan.