Linux – SYNPROXY is not working?

I have a firewall that looks something like this:

# HTTPS inbound                                                                   
iptables -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 443 -j ACCEPT  
iptables -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 443 -j ACCEPT  

# HTTPS outbound                                                                 
iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 443 -j ACCEPT


# HTTP inbound
iptables -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 80 -j ACCEPT  
iptables -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 80 -j ACCEPT  

# HTTP outbound
iptables -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED --dport 80 -j ACCEPT

# Reject everything that doesn't match
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
iptables -A OUTPUT -j REJECT

ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -j REJECT
ip6tables -A OUTPUT -j REJECT

iptables -t raw -A PREROUTING -p tcp --dport 443 -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp --dport 443 -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

These rules clear all traffic on port 443! When I check the raw data table, this is displayed, which in my opinion means that conntrack should allow SYNPROXY to track it. The problem is that SYNPROXY does not do anything.

CT         tcp  --  anywhere             anywhere             tcp dpt:http tcp flags:FIN,SYN,RST,ACK/SYN CT notrack

If I look at it watch -n1 cat /proc/net/stat/synproxynothing incremented. That is how I can do it iptables -t raw -F to resume traffic, but it means that I have no SYNPROXY protection at all. I want to use SYNPROXY. What can I do to fix the problem?

Nginx, Borg Backup, Netdata Monitoring, Firehol Firewall with Synproxy, HA & LB on WHM and cPanel

Autom8n (https://autom8n.com/) is a multi-functional plugin that supports

1. Change the LAMP / LEMP stack on a domain basis
2. SYNPROXY synflood protection for the webstack
3. Nginx ddos ​​reduction
4. Highly secure SSL library with LibreSSL
5. Borg Deduplicating Encrypted Backups (Can be used instead of the default cPanel backup on local drives / mounts or remote servers with ssh.)
Borg is more space and time efficient than the standard cPanel backup
6. Netdata (for server performance history graphs) – useful for capacity planning and troubleshooting
7. Seamless clusteing for HA and load balancing of any cPanel server when adding a new DNS-only cPanel server

Proactive cluster management with 24/7 monitoring and support (emergency response via Skype / phone, ticket support for standard issues with 12-hour response SLA on all days)