I've got a router performing simple NAT translation using iptables iptables -t nat -o -j MASQUERADE

This works fine almost all of the time except for one particular case where some TCP RST and FIN packets are leaving the router un-NAT'd.

In this scenario I setup 1 or 2 client computers streaming Flash video (eg www.nasa.gov/ntv) At the router I then tear down and re-establish the public interface (which is a modem) As expected the Flash streams stall out. After the connection is re-established and I try to refresh the Flash pages, I see some TCP RST and [FIN,ACK] packets leaving the public interface (I assume as Flash attempts to recover its stream).

I don't know how these packets can leave the router non-NAT'd