NAT is not stateful. But technically even in a stateful firewall, if you Close a connection, some packets should be allowed Inbound from the other user. You would need to run a packet sniffer to see if the router is allowing packets it shouldn't or if IPTables was denying those it should have allowed, though both could be Allowing/Denying packets correctly.
Background Information
»
www.freesoft.org/CIE/Cou ··· 4/11.htmsee figure 6
»
www.faqs.org/rfcs/rfc793.htmlPart of whether the firewall allows the packets would depend on how the connection is closed and whether a RST or FIN is sent.
»
www.faqs.org/docs/iptabl ··· ons.htmlsaid by Iptables Tutorial 1.1.19:
If the connection is reset by a RST packet, the state is changed to CLOSE. This means that the connection per default have 10 seconds before the whole connection is definitely closed down. RST packets are not acknowledged in any sense, and will break the connection directly.
Also timing is important and not absolute.
said by Iptables Tutorial 1.1.19:Here is the complete list of possible states that a TCP stream may take, and their timeout values.
Table 4-2. Internal states
State Timeout value
NONE 30 minutes
ESTABLISHED 5 days
SYN_SENT 2 minutes
SYN_RECV 60 seconds
FIN_WAIT 2 minutes
TIME_WAIT 2 minutes
CLOSE 10 seconds
CLOSE_WAIT 12 hours
LAST_ACK 30 seconds
LISTEN> 2 minutes
These values are most definitely not absolute. They may change with kernel revisions, and they may also be changed via the proc file-system in the /proc/sys/net/ipv4/netfilter/ip_ct_tcp_* variables. The default values should, however, be fairly well established in practice. These values are set in jiffies (or 1/100th parts of seconds), so 3000 means 30 seconds.
So while both may be stateful they may have different timeout values for the states.