Rewrite source IP in TCP replies using iptables

I'd like to rewrite the source IP on TCP/514 traffic leaving a redhat machine, for connections that weren't initiated from the machine. The machine receives TCP/514 traffic on an interface, for example 10.10.0.20, and then I'd like to return the traffic as though the reply is from 10.10.0.15 (which isn't assigned to the machine). If I was initiating the connection, then I could use the nat table, and: iptables -A POSTROUTING -t nat -p tcp --sport 514 -j SNAT --to=10.10.0.15 ..but since I'm replying to incoming traffic, I can't make it hit the nat table (as far as I can tell). Ignoring the reasons *why* I need to do things this way, how can I make this work? More background: > It's a redhat 7 machine sitting behind a Netscaler VIP which receives > syslog traffic over TCP (not UDP). I'm using client IP passthrough on > the VIP. Due to the firewall seeing return traffic coming from the > syslog server IP, not the VIP's IP, the firewall is dropping the > traffic, and hence I'd like to rewrite TCP replies from the syslog > server so they come from the VIP's IP address. Since the traffic > doesn't originate from the backend server, I don't seem to be able to > use the nat table (and therefore no -j SNAT). What I see now is: 13:13:45.439683 IP 10.10.0.8.31854 > 10.10.0.20.514: Flags [S], seq 544116376, win 8190, options [mss 1460], length 0 13:13:45.439743 IP 10.10.0.20.514 > 10.10.0.8.31854: Flags [S.], seq 4163333198, ack 544116377, win 14600, options [mss 1460], length 0 What I want to see is: 13:13:45.439683 IP 10.10.0.8.31854 > 10.10.0.20.514: Flags [S], seq 544116376, win 8190, options [mss 1460], length 0 13:13:45.439743 IP 10.10.0.15.514 > 10.10.0.8.31854: Flags [S.], seq 4163333198, ack 544116377, win 14600, options [mss 1460], length 0