If you’re using s3 behind a VPC NAT connection, you may find that some files fail to download completely.

The problem is related to how the S3 network infrastructure utilizes certain TCP flags (push) which can confuse the Linux conntrack system.

The solution? Drop the ‘invalid’ packets and carry on with life!

iptables -I INPUT -m state --state INVALID -j DROP
/sbin/service iptables save