I am attempting to implement a transparent TCP proxy which can delay the sending of SYN,ACK back to the local client machine until the internet side server acknowledges the connection. This is to allow correct operation of TCP services which rely on rejected connections from the server. I've got NFQUEUE working with a rule such as (eth1 is my local device): iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK -o eth1 -j NFQUEUE --queue-num 0 The problem is that if I combine the above rule with a NAT rule to implement the redirection of TCP to my proxy, the packet headers which arrive in the queue contain the source IP-address/port of the proxy rather than the internet server's source IP-address/port. Matching the connection with out the server's info is not reliable. I've tried putting the above rule on the nat table but I get no matches. Is there some way to get what I need? My only other option is to separately track the local's client's source IP-address/port and try to match up the SYN,ACK packets using that information. thanks!!!! -Jim. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
