conntrack delete does not stop runnig copy of big file
Solution 1:
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
nf_conntrack_tcp_loose - BOOLEAN
0 - disabled not 0 - enabled (default)
If it is set to zero, we disable picking up already established connections.
So the already established connection is detected on-the-fly (without SYN/SYN+ACK/ACK involved) and added back as a new conntrack entry. Since it's a new conntrack entry, the nat table will be traversed again and the DNAT rule applied again. Even if one way doesn't work immediately (if there's no SNAT/MASQUERADE defined in addition to the DNAT rule the http server's outgoing packets might appear on WAN as 192.168.3.17 for a short while and be rejected/ignored by 192.168.33.13), as soon as the other way tries again (ACK retry from 192.168.33.13...) this will match.
Type this:
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
And try again deleting the conntrack entry with conntrack -D
...
This should hopefully prevent a new conntrack entry to be created and cut the download.