So to avoid loading the connection tracking module, I would put rules to handle return packets in the proper chain.
eg: iptables -A tcp_packets -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
That rule allows packets *to* port 80 - I was asking how you deal with *reply* packets - the ones *from* port 80 on the remote server.
Sorry, the OP was about packets to his box and not from replies from a box he is trying to access.
iptables -A tcp_packets -p --sport 80 --dport 1024:65535 -j ACCEPT
Then i put tcp/udp/icmp packets to the proper chain
eg: iptables -A INPUT -p tcp -j tcp_packets
You could make a catch all for return packets like:
iptables -A INPUT -p tcp ! --syn -j ACCEPT
You seem to be advocating not using the ESTABLISHED,RELATED match - which would render the firewall stateless (like ipchains) instead of stateful. That seems a backwards step to me - or have I misunderstood something?
Stateful is expensive. If you have a high traffic load, it is not worth it. The context is when the box is a server. If you are protecting your home box, by all means, use stateful.