We currently do a type of Layer 7 filtering where all packets matching our u32 rule gets redirected to another port that caches information, this happens on our firewall (running Ubuntu with IPtables) before it hits our windows machines.

An example of one of these rules looks like this:
This all works great, instead of the packets reaching our windows server and bogging it down from medium sized attacks our caching program will respond to them.

However, I want ALL packets matching that rule to get passed. Currently, only new packets hitting our server will get redirected, IP's and Ports that have already hit our firewall will pass right through.

I found a fix for this, and it was to set both of these to 0:
This worked great and redirected everything, but even on a small attack <50Mbps IPTables just stops working and drops everything. My Caching program isn't the bottleneck and everything else seems to be working fine.

Any ideas?

edit:
I previously also found some information on it here:
http://serverfault.com/questions/741.../741108#741108

What makes this more odd, is that without the two settings above, we were seeing 300-400Mbps floods that were perfectly being cached by our program without issue as all NEW (spoofed) packets were being redirected anyway.

No luck yet however.

Oh, I would also like to note that only incoming traffic passes through this firewall, outgoing traffic from our windows machines passes straight to the switch.

I'm unsure if that makes any difference, but I know it affects "stateful" stuff.

So this is still a huge issue with no fix being found. I saw using -m conntrack --ctexpire-set to set the individual packets conntrack time but "ctexpire-set" seems to have been removed.

I'm needing packets matching xxxx payload on destination port 27035 to be redirected to another port. NAT seems to be the only way but only the first packet gets redirected. What can I do to solve this?