İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote: > I have a problem about using syn proxy to protect different kind of servers. > I have a firewall that located in front of some servers. These servers > are different kind (like linux and windows) and are not managed by me. > Problem caused by wscale parameter of syn proxy rule. When I listen > servers traffic, I realized they are working with different wscale > option. > I tried to write syn proxy rule without giving wscale parameter as > below, but It didn't work. > > iptables -A PREROUTING -t raw -i eth0 -p tcp -m tcp --syn -j CT --notrack > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state > INVALID,UNTRACKED --sack-perm --timestamp > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state INVALID -j DROP You did not show the actual -j SYNPROXY rules. You need different SYNPROXY targets for each server anyway, so why can't you provide the correct parameters there? > I also tried to set net.ipv4.tcp_window_scaling=0 with sysctl but It > also didn't work. > Is there any practice to solve this issue? No, its not possible to do this, the syn cookie generated by SYNPROXY target decides the window scale to be used, so it must match that of the real server.