linux

How to make iptables+synproxy and forwarding to gre-tunnel work together?

The meaning is the following, there is one machine with sufficient resources to beat off the syn-flood, traffic from it is sent through the gre-tunnel to another machine. With some simple rules:
iptables -t nat -A POSTROUTING -s 192.168.168.0/30 ! -o gre+ -j SNAT --to-source XXX.XXX.XXX.XXX
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.XXX --dport 80 -j DNAT --to-destination 192.168 .168.2:80
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT .
Synproxy should help for this:
iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 -j CT --notrack
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT - m state --state INVALID -j DROP
But the problem is that when you use these rules, traffic stops entering the tunnel. The question is how to filter the flood and send only pure traffic to the tunnel?