How can private IPV4 addresses get past iptables NAT (tcp RST,FIN)
Thanks for the tip. I was just what I needed to set me on the right track.
The root cause was unfiltered forwarding between lan and public interface. When the public interface got torn down it cleared the conntrack entries. The clients then tried to revive their connections and ended up sending out RST and FIN packets. Since NAT gets setup only on NEW connections, these packets then left the router unmodified.
I had to change my forwarding rule to only allow NEW,ESTABLISHED,RELATED packets to get forwarded from private lan.
Dropping the [RST,ACK] and [FIN,ACK] will not work. There are many application like ftp upload that will simply fail to ack the completion of the FTP transfer. The comments by gscott are the correct method, but one additional requirement is needed. You must make them strict by applying the policy
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
With this, you need to specify all your rules, or the packets will be dropped.