Thanks Patrick, put SYNPROXY in FORWARD did it. On Fri, Jan 3, 2014 at 5:19 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > On Thu, Jan 02, 2014 at 03:30:21PM -0800, Vincent Li wrote: >> Hi Patrick >> >> I should have put this question in user list instead of dev list, but >> I couldn't find any user based documentation on how to test the >> SYNPROXY target other than the message in the SYNPROXY patch series. >> so here is my setup: >> >> ---packet flow >> >> client 10.1.72.99 (vlan 1101) <->Linux with SYNPROXY rule - 10.1.72.9 >> (vlan 1101) 10.2.72.139 (vlan 1102) <->server 10.2.72.99 >> ... >> /usr/local/sbin/iptables -A INPUT -i $EXTIF -p tcp --dport 80 -m state >> --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss >> 1460 --wscale 5 >> 00000000 00000000 >> >> I think I might miss something and not testing the SYNPROXY properly, any clue? > > I guess you need to put the SYNPROXY rule in FORWARD instead of INPUT. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
